From 378194047344afad7684eebe0eacbcc3e656c5c1 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Thu, 6 Nov 2025 16:38:25 +0200 Subject: [PATCH 1/7] update entity description --- docs/reference/ecs-allowed-values-entity-type.md | 9 +++++++++ docs/reference/ecs-entity.md | 11 ++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/reference/ecs-allowed-values-entity-type.md b/docs/reference/ecs-allowed-values-entity-type.md index 8ff592348b..30c2ea796c 100644 --- a/docs/reference/ecs-allowed-values-entity-type.md +++ b/docs/reference/ecs-allowed-values-entity-type.md @@ -27,6 +27,8 @@ This field is an array. This allows proper categorization of entities that may f * [service](#ecs-entity-type-service) * [session](#ecs-entity-type-session) * [user](#ecs-entity-type-user) +* [cloud](#ecs-entity-type-cloud) +* [orchestrator](#ecs-entity-type-orchestrator) ## application [ecs-entity-type-application] @@ -78,3 +80,10 @@ Represents a user session or connection session. This includes user login sessio Represents a user account or identity. This includes human users, service accounts, system accounts, and other identity entities that can interact with systems, applications, or services. Users may have various roles, permissions, and attributes associated with their identity. + +## cloud [ecs-entity-type-cloud] +Represents a cloud or infrastructure. This includes cloud providers and their services (such as AWS EC2), and is used to identify or correlate resources, entities, and activities across accounts or multi-cloud environments. + + +## orchestrator [ecs-entity-type-orchestrator] +Represents an orchestration system or orchestrator component. This includes container orchestrators like Kubernetes, Docker Swarm, and other systems responsible for automating the deployment, management, scaling, and networking of containers or workloads. diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index 369e9b88d0..f59f7fd745 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -38,5 +38,14 @@ The `entity` fields are expected to be nested at: * `orchestrator.entity` * `service.entity` * `user.entity` +* `entity.target` -Note also that the `entity` fields are not expected to be used directly at the root of the events. + +Note also that the `entity` fields may be used directly at the root of the events. + + +### Field sets that can be nested under User [ecs-entity-nestings] + +| Location | Field Set | Description | +| --- | --- | --- | +| `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. | \ No newline at end of file From 8e1237a8f1d8d5b3dae4b6977c47738e20b6e407 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Tue, 11 Nov 2025 11:14:40 +0200 Subject: [PATCH 2/7] update tests --- docs/reference/ecs-entity.md | 2 +- schemas/entity.yml | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index f59f7fd745..b61b881053 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -27,7 +27,7 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | -| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | +| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | ## Field reuse [_field_reuse] diff --git a/schemas/entity.yml b/schemas/entity.yml index b4ec7dbedd..a0527e92f8 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -62,7 +62,7 @@ short: Standardized high-level classification of the entity. description: > A standardized high-level classification of the entity. This provides a normalized way - to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc. + to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. normalize: - array allowed_values: @@ -96,6 +96,12 @@ - name: session description: > Represents a user session or connection session. This includes user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. + - name: cloud + description: > + Represents a cloud or infrastructure. This includes cloud providers and their services (such as AWS EC2), and is used to identify or correlate resources, entities, and activities across accounts or multi-cloud environments. + - name: orchestrator + description: > + Represents an orchestration system or orchestrator component. This includes container orchestrators like Kubernetes, Docker Swarm, and other systems responsible for automating the deployment, management, scaling, and networking of containers or workloads. example: host beta: This field is beta and subject to change. From a0108a5ba902bde1d87291e4eb4525ab75c17f01 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Tue, 11 Nov 2025 11:21:47 +0200 Subject: [PATCH 3/7] update tests 2 --- generated/ecs/ecs_flat.yml | 50713 ++++++++++++++++++++++++++++++-- generated/ecs/ecs_nested.yml | 51703 +++++++++++++++++++++++++++++++-- schemas/entity.yml | 10 + 3 files changed, 97330 insertions(+), 5096 deletions(-) diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 06378fca8d..be3fd39d4c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -130,7 +130,6 @@ client.address: normalize: [] otel: - relation: match - stability: stable short: Client network address. type: keyword client.as.number: @@ -396,7 +395,6 @@ client.port: normalize: [] otel: - relation: match - stability: stable short: Port of the client. type: long client.registered_domain: @@ -475,6 +473,263 @@ client.user.email: original_fieldset: user short: User email address. type: keyword +client.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: client.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +client.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: client.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +client.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: client.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: client.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +client.user.entity.id: + dashed_name: client-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: client.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +client.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: client.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +client.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: client.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +client.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: client.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +client.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: client.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: client.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +client.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: client.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +client.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: client.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +client.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: client.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +client.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: client.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +client.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: client-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: client.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword client.user.full_name: dashed_name: client-user-full-name description: User's full name, if available. @@ -569,6 +824,86 @@ client.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +client.user.risk.calculated_level: + dashed_name: client-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: client.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +client.user.risk.calculated_score: + dashed_name: client-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: client.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +client.user.risk.calculated_score_norm: + dashed_name: client-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: client.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +client.user.risk.static_level: + dashed_name: client-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: client.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +client.user.risk.static_score: + dashed_name: client-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: client.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +client.user.risk.static_score_norm: + dashed_name: client-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: client.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -597,7 +932,6 @@ cloud.account.id: normalize: [] otel: - relation: match - stability: development short: The cloud account or organization id. type: keyword cloud.account.name: @@ -625,7 +959,6 @@ cloud.availability_zone: normalize: [] otel: - relation: match - stability: development short: Availability zone in which this host, resource, or service is located. type: keyword cloud.entity.attributes: @@ -860,12 +1193,21 @@ cloud.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1182,12 +1524,21 @@ cloud.origin.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1340,7 +1691,6 @@ cloud.provider: normalize: [] otel: - relation: match - stability: development short: Name of the cloud provider. type: keyword cloud.region: @@ -1354,7 +1704,6 @@ cloud.region: normalize: [] otel: - relation: match - stability: development short: Region in which this host, resource, or service is located. type: keyword cloud.service.name: @@ -1373,7 +1722,6 @@ cloud.service.name: otel: - attribute: cloud.platform relation: equivalent - stability: development short: The cloud service name. type: keyword cloud.target.account.id: @@ -1650,12 +1998,21 @@ cloud.target.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -1781,7 +2138,6 @@ container.cpu.usage: otel: - metric: container.cpu.usage relation: metric - stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -1815,7 +2171,6 @@ container.id: normalize: [] otel: - relation: match - stability: development short: Unique container id. type: keyword container.image.hash.all: @@ -1833,7 +2188,6 @@ container.image.hash.all: otel: - attribute: container.image.repo_digests relation: equivalent - stability: development short: An array of digests of the image the container was built on. type: keyword container.image.name: @@ -1846,7 +2200,6 @@ container.image.name: normalize: [] otel: - relation: match - stability: development short: Name of the image the container was built on. type: keyword container.image.tag: @@ -1861,7 +2214,6 @@ container.image.tag: otel: - attribute: container.image.tags relation: equivalent - stability: development short: Container image tags. synthetic_source_keep: none type: keyword @@ -1876,7 +2228,6 @@ container.labels: otel: - attribute: container.label relation: related - stability: development short: Image labels. type: object container.memory.usage: @@ -1890,7 +2241,6 @@ container.memory.usage: otel: - metric: container.memory.usage relation: metric - stability: development scaling_factor: 1000 short: Percent memory used, between 0 and 1. type: scaled_float @@ -1904,7 +2254,6 @@ container.name: normalize: [] otel: - relation: match - stability: development short: Container name. type: keyword container.network.egress.bytes: @@ -1939,7 +2288,6 @@ container.runtime: otel: - attribute: container.runtime.name relation: equivalent - stability: development short: Runtime managing this container. type: keyword container.security_context.privileged: @@ -2018,7 +2366,6 @@ destination.address: normalize: [] otel: - relation: match - stability: development short: Destination network address. type: keyword destination.as.number: @@ -2283,7 +2630,6 @@ destination.port: normalize: [] otel: - relation: match - stability: development short: Port of the destination. type: long destination.registered_domain: @@ -2362,6 +2708,263 @@ destination.user.email: original_fieldset: user short: User email address. type: keyword +destination.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: destination.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +destination.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: destination.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +destination.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: destination.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: destination.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +destination.user.entity.id: + dashed_name: destination-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: destination.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +destination.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: destination.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +destination.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: destination.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +destination.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: destination.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +destination.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: destination.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: destination.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +destination.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: destination.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +destination.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: destination.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +destination.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: destination.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +destination.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: destination.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +destination.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: destination.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword destination.user.full_name: dashed_name: destination-user-full-name description: User's full name, if available. @@ -2456,6 +3059,86 @@ destination.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +destination.user.risk.calculated_level: + dashed_name: destination-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: destination.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +destination.user.risk.calculated_score: + dashed_name: destination-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: destination.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +destination.user.risk.calculated_score_norm: + dashed_name: destination-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: destination.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +destination.user.risk.static_level: + dashed_name: destination-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: destination.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +destination.user.risk.static_score: + dashed_name: destination-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: destination.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +destination.user.risk.static_score_norm: + dashed_name: destination-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: destination.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -2489,7 +3172,6 @@ device.id: normalize: [] otel: - relation: match - stability: development short: The unique identifier of a device. type: keyword device.manufacturer: @@ -2503,7 +3185,6 @@ device.manufacturer: normalize: [] otel: - relation: match - stability: development short: The vendor name of the device manufacturer. type: keyword device.model.identifier: @@ -2517,7 +3198,6 @@ device.model.identifier: normalize: [] otel: - relation: match - stability: development short: The machine readable identifier of the device model. type: keyword device.model.name: @@ -2531,7 +3211,6 @@ device.model.name: normalize: [] otel: - relation: match - stability: development short: The human readable marketing name of the device model. type: keyword device.product.id: @@ -3245,7 +3924,6 @@ dns.answers: otel: - attribute: dns.answers relation: related - stability: development short: Array of DNS answers. type: object dns.answers.class: @@ -3383,7 +4061,6 @@ dns.question.name: normalize: [] otel: - relation: match - stability: development short: The name being queried. type: keyword dns.question.registered_domain: @@ -3863,7 +4540,6 @@ error.message: otel: - attribute: exception.message relation: equivalent - stability: stable short: Error message. type: match_only_text error.stack_trace: @@ -3880,7 +4556,6 @@ error.stack_trace: otel: - attribute: exception.stacktrace relation: equivalent - stability: stable short: The stack trace of this error in plain text. type: wildcard error.type: @@ -3894,7 +4569,6 @@ error.type: normalize: [] otel: - relation: match - stability: stable short: The type of the error, for example the class name of the exception. type: keyword event.action: @@ -4770,7 +5444,6 @@ faas.coldstart: normalize: [] otel: - relation: match - stability: development short: Boolean value indicating a cold start of a function. type: boolean faas.execution: @@ -4785,7 +5458,6 @@ faas.execution: otel: - attribute: faas.invocation_id relation: equivalent - stability: development short: The execution ID of the current function execution. type: keyword faas.id: @@ -4813,7 +5485,6 @@ faas.name: normalize: [] otel: - relation: match - stability: development short: The name of a serverless function. type: keyword faas.trigger.request_id: @@ -4845,7 +5516,6 @@ faas.trigger.type: otel: - attribute: faas.trigger relation: equivalent - stability: development short: The trigger for the function execution. type: keyword faas.version: @@ -4859,7 +5529,6 @@ faas.version: normalize: [] otel: - relation: match - stability: development short: The version of a serverless function. type: keyword file.accessed: @@ -4873,7 +5542,6 @@ file.accessed: normalize: [] otel: - relation: match - stability: development short: Last time the file was accessed. type: date file.attributes: @@ -4892,7 +5560,6 @@ file.attributes: - array otel: - relation: match - stability: development short: Array of file attributes. synthetic_source_keep: none type: keyword @@ -5058,7 +5725,6 @@ file.created: normalize: [] otel: - relation: match - stability: development short: File creation time. type: date file.ctime: @@ -5074,7 +5740,6 @@ file.ctime: otel: - attribute: file.changed relation: equivalent - stability: development short: Last time the file attributes or metadata changed. type: date file.device: @@ -5100,7 +5765,6 @@ file.directory: normalize: [] otel: - relation: match - stability: development short: Directory where the file is located. type: keyword file.drive_letter: @@ -5573,7 +6237,6 @@ file.extension: normalize: [] otel: - relation: match - stability: development short: File extension, excluding the leading dot. type: keyword file.fork_name: @@ -5599,7 +6262,6 @@ file.fork_name: normalize: [] otel: - relation: match - stability: development short: A fork is additional data associated with a filesystem object. type: keyword file.gid: @@ -5614,7 +6276,6 @@ file.gid: otel: - attribute: file.group.id relation: equivalent - stability: development short: Primary group ID (GID) of the file. type: keyword file.group: @@ -5629,7 +6290,6 @@ file.group: otel: - attribute: file.group.name relation: equivalent - stability: development short: Primary group name of the file. type: keyword file.hash.cdhash: @@ -5734,7 +6394,6 @@ file.inode: normalize: [] otel: - relation: match - stability: development short: Inode representing the file in the filesystem. type: keyword file.macho.go_import_hash: @@ -5959,7 +6618,6 @@ file.mode: normalize: [] otel: - relation: match - stability: development short: Mode of the file in octal representation. type: keyword file.mtime: @@ -5972,7 +6630,6 @@ file.mtime: otel: - attribute: file.modified relation: equivalent - stability: development short: Last time the file content was modified. type: date file.name: @@ -5986,7 +6643,6 @@ file.name: normalize: [] otel: - relation: match - stability: development short: Name of the file including the extension, without the directory. type: keyword file.origin_referrer_url: @@ -6025,7 +6681,6 @@ file.owner: otel: - attribute: file.owner.name relation: equivalent - stability: development short: File owner's username. type: keyword file.path: @@ -6044,7 +6699,6 @@ file.path: normalize: [] otel: - relation: match - stability: development short: Full path to the file, including the file name. type: keyword file.pe.architecture: @@ -6345,7 +6999,6 @@ file.size: normalize: [] otel: - relation: match - stability: development short: File size in bytes. type: long file.target_path: @@ -6363,7 +7016,6 @@ file.target_path: otel: - attribute: file.symbolic_link.target_path relation: equivalent - stability: development short: Target path for symlinks. type: keyword file.type: @@ -6389,7 +7041,6 @@ file.uid: otel: - attribute: file.owner.id relation: equivalent - stability: development short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword file.x509.alternative_names: @@ -6710,7 +7361,6 @@ gen_ai.agent.description: normalize: [] otel: - relation: match - stability: development short: Free-form description of the GenAI agent provided by the application. type: keyword gen_ai.agent.id: @@ -6725,7 +7375,6 @@ gen_ai.agent.id: normalize: [] otel: - relation: match - stability: development short: The unique identifier of the GenAI agent. type: keyword gen_ai.agent.name: @@ -6740,7 +7389,6 @@ gen_ai.agent.name: normalize: [] otel: - relation: match - stability: development short: Human-readable name of the GenAI agent provided by the application. type: keyword gen_ai.operation.name: @@ -6755,7 +7403,6 @@ gen_ai.operation.name: normalize: [] otel: - relation: match - stability: development short: The name of the operation being performed. type: keyword gen_ai.output.type: @@ -6770,7 +7417,6 @@ gen_ai.output.type: normalize: [] otel: - relation: match - stability: development short: Represents the content type requested by the client. type: keyword gen_ai.request.choice.count: @@ -6784,7 +7430,6 @@ gen_ai.request.choice.count: normalize: [] otel: - relation: match - stability: development short: The target number of candidate completions to return. type: integer gen_ai.request.encoding_formats: @@ -6798,7 +7443,6 @@ gen_ai.request.encoding_formats: normalize: [] otel: - relation: match - stability: development short: The encoding formats requested in an embeddings operation, if specified. type: nested gen_ai.request.frequency_penalty: @@ -6812,7 +7456,6 @@ gen_ai.request.frequency_penalty: normalize: [] otel: - relation: match - stability: development short: The frequency penalty setting for the GenAI request. type: double gen_ai.request.max_tokens: @@ -6826,7 +7469,6 @@ gen_ai.request.max_tokens: normalize: [] otel: - relation: match - stability: development short: The maximum number of tokens the model generates for a request. type: integer gen_ai.request.model: @@ -6841,7 +7483,6 @@ gen_ai.request.model: normalize: [] otel: - relation: match - stability: development short: The name of the GenAI model a request is being made to. type: keyword gen_ai.request.presence_penalty: @@ -6855,7 +7496,6 @@ gen_ai.request.presence_penalty: normalize: [] otel: - relation: match - stability: development short: The presence penalty setting for the GenAI request. type: double gen_ai.request.seed: @@ -6869,7 +7509,6 @@ gen_ai.request.seed: normalize: [] otel: - relation: match - stability: development short: Requests with same seed value more likely to return same result. type: integer gen_ai.request.stop_sequences: @@ -6884,7 +7523,6 @@ gen_ai.request.stop_sequences: normalize: [] otel: - relation: match - stability: development short: List of sequences that the model will use to stop generating further tokens. type: nested gen_ai.request.temperature: @@ -6898,7 +7536,6 @@ gen_ai.request.temperature: normalize: [] otel: - relation: match - stability: development short: The temperature setting for the GenAI request. type: double gen_ai.request.top_k: @@ -6912,7 +7549,6 @@ gen_ai.request.top_k: normalize: [] otel: - relation: match - stability: development short: The top_k sampling setting for the GenAI request. type: double gen_ai.request.top_p: @@ -6926,7 +7562,6 @@ gen_ai.request.top_p: normalize: [] otel: - relation: match - stability: development short: The top_p sampling setting for the GenAI request. type: double gen_ai.response.finish_reasons: @@ -6941,7 +7576,6 @@ gen_ai.response.finish_reasons: normalize: [] otel: - relation: match - stability: development short: Array of reasons the model stopped generating tokens, corresponding to each generation received. type: nested @@ -6957,7 +7591,6 @@ gen_ai.response.id: normalize: [] otel: - relation: match - stability: development short: The unique identifier for the completion. type: keyword gen_ai.response.model: @@ -6972,7 +7605,6 @@ gen_ai.response.model: normalize: [] otel: - relation: match - stability: development short: The name of the model that generated the response. type: keyword gen_ai.system: @@ -6988,7 +7620,6 @@ gen_ai.system: otel: - attribute: gen_ai.provider.name relation: equivalent - stability: development short: The Generative AI product as identified by the client or server instrumentation. type: keyword gen_ai.token.type: @@ -7003,7 +7634,6 @@ gen_ai.token.type: normalize: [] otel: - relation: match - stability: development short: The type of token being counted. type: keyword gen_ai.tool.call.id: @@ -7018,7 +7648,6 @@ gen_ai.tool.call.id: normalize: [] otel: - relation: match - stability: development short: The tool call identifier. type: keyword gen_ai.tool.name: @@ -7033,7 +7662,6 @@ gen_ai.tool.name: normalize: [] otel: - relation: match - stability: development short: Name of the tool utilized by the agent. type: keyword gen_ai.tool.type: @@ -7048,7 +7676,6 @@ gen_ai.tool.type: normalize: [] otel: - relation: match - stability: development short: Type of the tool utilized by the agent type: keyword gen_ai.usage.input_tokens: @@ -7062,7 +7689,6 @@ gen_ai.usage.input_tokens: normalize: [] otel: - relation: match - stability: development short: The number of tokens used in the GenAI input (prompt). type: integer gen_ai.usage.output_tokens: @@ -7076,7 +7702,6 @@ gen_ai.usage.output_tokens: normalize: [] otel: - relation: match - stability: development short: The number of tokens used in the GenAI response (completion). type: integer group.domain: @@ -7123,7 +7748,6 @@ host.architecture: otel: - attribute: host.arch relation: equivalent - stability: development short: Operating system architecture. type: keyword host.boot.id: @@ -7156,7 +7780,6 @@ host.cpu.usage: otel: - metric: system.cpu.utilization relation: metric - stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -7171,7 +7794,6 @@ host.disk.read.bytes: otel: - metric: system.disk.io relation: metric - stability: development short: The number of bytes read by all disks. type: long host.disk.write.bytes: @@ -7185,7 +7807,6 @@ host.disk.write.bytes: otel: - metric: system.disk.io relation: metric - stability: development short: The number of bytes written on all disks. type: long host.domain: @@ -7434,12 +8055,21 @@ host.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -7616,7 +8246,6 @@ host.id: normalize: [] otel: - relation: match - stability: development short: Unique host id. type: keyword host.ip: @@ -7629,7 +8258,6 @@ host.ip: - array otel: - relation: match - stability: development short: Host ip addresses. synthetic_source_keep: none type: ip @@ -7649,7 +8277,6 @@ host.mac: - array otel: - relation: match - stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none @@ -7668,7 +8295,6 @@ host.name: normalize: [] otel: - relation: match - stability: development short: Name of the host. type: keyword host.network.egress.bytes: @@ -7682,7 +8308,6 @@ host.network.egress.bytes: otel: - metric: system.network.io relation: metric - stability: development short: The number of bytes sent on all network interfaces. type: long host.network.egress.packets: @@ -7696,7 +8321,6 @@ host.network.egress.packets: otel: - metric: system.network.packet.count relation: metric - stability: development short: The number of packets sent on all network interfaces. type: long host.network.ingress.bytes: @@ -7710,7 +8334,6 @@ host.network.ingress.bytes: otel: - metric: system.network.io relation: metric - stability: development short: The number of bytes received on all network interfaces. type: long host.network.ingress.packets: @@ -7724,7 +8347,6 @@ host.network.ingress.packets: otel: - metric: system.network.packet.count relation: metric - stability: development short: The number of packets received on all network interfaces. type: long host.os.family: @@ -7937,7 +8559,6 @@ host.type: normalize: [] otel: - relation: match - stability: development short: Type of host. type: keyword host.uptime: @@ -7951,7 +8572,6 @@ host.uptime: otel: - metric: system.uptime relation: metric - stability: development short: Seconds the host has been up. type: long http.request.body.bytes: @@ -7966,7 +8586,6 @@ http.request.body.bytes: otel: - attribute: http.request.body.size relation: equivalent - stability: development short: Size in bytes of the request body. type: long http.request.body.content: @@ -7995,7 +8614,6 @@ http.request.bytes: otel: - attribute: http.request.size relation: equivalent - stability: development short: Total size in bytes of the request (body and headers). type: long http.request.id: @@ -8028,7 +8646,6 @@ http.request.method: otel: - attribute: http.request.method_original relation: equivalent - stability: stable - attribute: http.request.method note: '`http.request.method` in SemConv is the known, normalized, upper case value of the request method, other than the ECS'' `http.request.method` that retains @@ -8036,7 +8653,6 @@ http.request.method: ' relation: conflict - stability: stable short: HTTP request method. type: keyword http.request.mime_type: @@ -8077,7 +8693,6 @@ http.response.body.bytes: otel: - attribute: http.response.body.size relation: equivalent - stability: development short: Size in bytes of the response body. type: long http.response.body.content: @@ -8106,7 +8721,6 @@ http.response.bytes: otel: - attribute: http.response.size relation: equivalent - stability: development short: Total size in bytes of the response (body and headers). type: long http.response.mime_type: @@ -8135,7 +8749,6 @@ http.response.status_code: normalize: [] otel: - relation: match - stability: stable short: HTTP response status code. type: long http.version: @@ -8150,14 +8763,12 @@ http.version: otel: - attribute: network.protocol.name relation: related - stability: stable - attribute: network.protocol.version note: 'In OTel SemConv, `network.protocol.version` specifies the HTTP version if the value of `network.protocol.name` is `http`. ' relation: related - stability: stable short: HTTP version. type: keyword labels: @@ -8177,10 +8788,8 @@ labels: otel: - attribute: k8s.pod.label relation: related - stability: development - attribute: container.label relation: related - stability: development short: Custom key/value pairs. type: object log.file.path: @@ -8197,7 +8806,6 @@ log.file.path: normalize: [] otel: - relation: match - stability: development short: Full path to the log file this event came from. type: keyword log.level: @@ -8618,7 +9226,6 @@ network.protocol: otel: - attribute: network.protocol.name relation: equivalent - stability: stable short: Application protocol name. type: keyword network.transport: @@ -8635,7 +9242,6 @@ network.transport: normalize: [] otel: - relation: match - stability: stable short: Protocol Name corresponding to the field `iana_number`. type: keyword network.type: @@ -8652,7 +9258,6 @@ network.type: normalize: [] otel: - relation: match - stability: stable short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc type: keyword @@ -9490,12 +10095,21 @@ orchestrator.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: orchestrator-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -9812,7 +10426,6 @@ process.args: otel: - attribute: process.command_args relation: equivalent - stability: development short: Array of process arguments. type: keyword process.args_count: @@ -9829,9 +10442,512 @@ process.args_count: normalize: [] otel: - relation: match - stability: development short: Length of the process.args array. type: long +process.attested_groups.domain: + dashed_name: process-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.attested_groups.id: + dashed_name: process-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.attested_groups.name: + dashed_name: process-attested-groups-name + description: Name of the group. + flat_name: process.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.attested_user.domain: + dashed_name: process-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.attested_user.email: + dashed_name: process-attested-user-email + description: User email address. + flat_name: process.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.attested_user.entity.id: + dashed_name: process-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.attested_user.full_name: + dashed_name: process-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.attested_user.group.domain: + dashed_name: process-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.attested_user.group.id: + dashed_name: process-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.attested_user.group.name: + dashed_name: process-attested-user-group-name + description: Name of the group. + flat_name: process.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.attested_user.hash: + dashed_name: process-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.attested_user.id: + dashed_name: process-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.attested_user.name: + dashed_name: process-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.attested_user.risk.calculated_level: + dashed_name: process-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.attested_user.risk.calculated_score: + dashed_name: process-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.attested_user.risk.calculated_score_norm: + dashed_name: process-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.attested_user.risk.static_level: + dashed_name: process-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.attested_user.risk.static_score: + dashed_name: process-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.attested_user.risk.static_score_norm: + dashed_name: process-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.attested_user.roles: + dashed_name: process-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.code_signature.digest_algorithm: dashed_name: process-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -10000,7 +11116,6 @@ process.command_line: normalize: [] otel: - relation: match - stability: development short: Full command line that started the process. type: wildcard process.elf.architecture: @@ -10455,6 +11570,17 @@ process.end: normalize: [] short: The time the process ended. type: date +process.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -10505,318 +11631,355 @@ process.entry_leader.args_count: original_fieldset: process short: Length of the process.args array. type: long -process.entry_leader.attested_groups.name: - dashed_name: process-entry-leader-attested-groups-name - description: Name of the group. - flat_name: process.entry_leader.attested_groups.name +process.entry_leader.attested_groups.domain: + dashed_name: process-entry-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.attested_groups.domain ignore_above: 1024 level: extended - name: name + name: domain normalize: [] original_fieldset: group - short: Name of the group. + short: Name of the directory the group is a member of. type: keyword -process.entry_leader.attested_user.id: - dashed_name: process-entry-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.attested_user.id +process.entry_leader.attested_groups.id: + dashed_name: process-entry-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.attested_groups.id ignore_above: 1024 - level: core + level: extended name: id normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.attested_user.name: - dashed_name: process-entry-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.attested_user.name +process.entry_leader.attested_groups.name: + dashed_name: process-entry-leader-attested-groups-name + description: Name of the group. + flat_name: process.entry_leader.attested_groups.name ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.attested_user.name.text - name: text - type: match_only_text + level: extended name: name normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: group + short: Name of the group. type: keyword -process.entry_leader.command_line: - dashed_name: process-entry-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. +process.entry_leader.attested_user.domain: + dashed_name: process-entry-leader-attested-user-domain + description: 'Name of the directory the user is a member of. - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.command_line + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.attested_user.domain + ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.entry_leader.command_line.text - name: text - type: match_only_text - name: command_line + name: domain normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.entry_leader.entity_id: - dashed_name: process-entry-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.entity_id + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.attested_user.email: + dashed_name: process-entry-leader-attested-user-email + description: User email address. + flat_name: process.entry_leader.attested_user.email ignore_above: 1024 level: extended - name: entity_id + name: email normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: user + short: User email address. type: keyword -process.entry_leader.entry_meta.source.ip: - dashed_name: process-entry-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.entry_meta.source.ip - level: core - name: ip +process.entry_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.attested_user.entity.attributes + level: extended + name: attributes normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.entry_leader.entry_meta.type: - dashed_name: process-entry-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.entry_meta.type - ignore_above: 1024 + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.attested_user.entity.behavior level: extended - name: entry_meta.type + name: behavior normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.entry_leader.executable: - dashed_name: process-entry-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.entry_leader.executable + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.attested_user.entity.display_name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.executable.text + - flat_name: process.entry_leader.attested_user.entity.display_name.text name: text type: match_only_text - name: executable + name: display_name normalize: [] - original_fieldset: process - short: Absolute path to the process executable. + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword -process.entry_leader.group.id: - dashed_name: process-entry-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.group.id +process.entry_leader.attested_user.entity.id: + dashed_name: process-entry-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.attested_user.entity.id ignore_above: 1024 - level: extended + level: core name: id normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: entity + short: Unique identifier for the entity. type: keyword -process.entry_leader.group.name: - dashed_name: process-entry-leader-group-name - description: Name of the group. - flat_name: process.entry_leader.group.name - ignore_above: 1024 +process.entry_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp level: extended - name: name + name: last_seen_timestamp normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.interactive: - dashed_name: process-entry-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.entry_leader.interactive + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.attested_user.entity.lifecycle level: extended - name: interactive + name: lifecycle normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.entry_leader.name: - dashed_name: process-entry-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.entry_leader.name - ignore_above: 1024 + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.attested_user.entity.metrics level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.attested_user.entity.name + ignore_above: 1024 + level: core multi_fields: - - flat_name: process.entry_leader.name.text + - flat_name: process.entry_leader.attested_user.entity.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: process - short: Process name. + original_fieldset: entity + short: The name of the entity. type: keyword -process.entry_leader.parent.entity_id: - dashed_name: process-entry-leader-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.parent.entity_id +process.entry_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.attested_user.entity.reference ignore_above: 1024 level: extended - name: entity_id + name: reference normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. type: keyword -process.entry_leader.parent.pid: - dashed_name: process-entry-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.pid - format: string +process.entry_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.attested_user.entity.source + ignore_above: 1024 level: core - name: pid + name: source normalize: [] - original_fieldset: process - short: Process id. - type: long -process.entry_leader.parent.session_leader.entity_id: - dashed_name: process-entry-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.parent.session_leader.entity_id + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.attested_user.entity.sub_type ignore_above: 1024 level: extended - name: entity_id + name: sub_type normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. type: keyword -process.entry_leader.parent.session_leader.pid: - dashed_name: process-entry-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.session_leader.pid - format: string +process.entry_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.attested_user.entity.type + ignore_above: 1024 level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.entry_leader.parent.session_leader.start: - dashed_name: process-entry-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.session_leader.start + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.attested_user.full_name: + dashed_name: process-entry-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.attested_user.full_name + ignore_above: 1024 level: extended - name: start + multi_fields: + - flat_name: process.entry_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.entry_leader.parent.session_leader.vpid: - dashed_name: process-entry-leader-parent-session-leader-vpid - description: 'Virtual process id. + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.attested_user.group.domain: + dashed_name: process-entry-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.entry_leader.parent.session_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.entry_leader.parent.start: - dashed_name: process-entry-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.start + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.attested_user.group.domain + ignore_above: 1024 level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.entry_leader.parent.vpid: - dashed_name: process-entry-leader-parent-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.entry_leader.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.entry_leader.pid: - dashed_name: process-entry-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.pid - format: string - level: core - name: pid + name: domain normalize: [] - original_fieldset: process - short: Process id. - type: long -process.entry_leader.real_group.id: - dashed_name: process-entry-leader-real-group-id + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.attested_user.group.id: + dashed_name: process-entry-leader-attested-user-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.real_group.id + flat_name: process.entry_leader.attested_user.group.id ignore_above: 1024 level: extended name: id @@ -10824,10 +11987,10 @@ process.entry_leader.real_group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.real_group.name: - dashed_name: process-entry-leader-real-group-name +process.entry_leader.attested_user.group.name: + dashed_name: process-entry-leader-attested-user-group-name description: Name of the group. - flat_name: process.entry_leader.real_group.name + flat_name: process.entry_leader.attested_user.group.name ignore_above: 1024 level: extended name: name @@ -10835,11 +11998,26 @@ process.entry_leader.real_group.name: original_fieldset: group short: Name of the group. type: keyword -process.entry_leader.real_user.id: - dashed_name: process-entry-leader-real-user-id +process.entry_leader.attested_user.hash: + dashed_name: process-entry-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.attested_user.id: + dashed_name: process-entry-leader-attested-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.real_user.id + flat_name: process.entry_leader.attested_user.id ignore_above: 1024 level: core name: id @@ -10847,15 +12025,15 @@ process.entry_leader.real_user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.entry_leader.real_user.name: - dashed_name: process-entry-leader-real-user-name +process.entry_leader.attested_user.name: + dashed_name: process-entry-leader-attested-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.entry_leader.real_user.name + flat_name: process.entry_leader.attested_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.entry_leader.real_user.name.text + - flat_name: process.entry_leader.attested_user.name.text name: text type: match_only_text name: name @@ -10863,330 +12041,262 @@ process.entry_leader.real_user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.entry_leader.same_as_process: - dashed_name: process-entry-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.entry_leader.saved_group.id: - dashed_name: process-entry-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.saved_group.name: - dashed_name: process-entry-leader-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.saved_group.name +process.entry_leader.attested_user.risk.calculated_level: + dashed_name: process-entry-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.attested_user.risk.calculated_level ignore_above: 1024 level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.saved_user.id: - dashed_name: process-entry-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.saved_user.name: - dashed_name: process-entry-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.saved_user.name.text - name: text - type: match_only_text - name: name + name: calculated_level normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. type: keyword -process.entry_leader.start: - dashed_name: process-entry-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.start +process.entry_leader.attested_user.risk.calculated_score: + dashed_name: process-entry-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.attested_user.risk.calculated_score level: extended - name: start + name: calculated_score normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.entry_leader.supplemental_groups.id: - dashed_name: process-entry-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.supplemental_groups.id - ignore_above: 1024 + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.attested_user.risk.calculated_score_norm level: extended - name: id + name: calculated_score_norm normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.supplemental_groups.name: - dashed_name: process-entry-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.supplemental_groups.name + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.attested_user.risk.static_level: + dashed_name: process-entry-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.attested_user.risk.static_level ignore_above: 1024 level: extended - name: name + name: static_level normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. type: keyword -process.entry_leader.tty: - dashed_name: process-entry-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.entry_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.entry_leader.tty.char_device.major: - dashed_name: process-entry-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.tty.char_device.major +process.entry_leader.attested_user.risk.static_score: + dashed_name: process-entry-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.attested_user.risk.static_score level: extended - name: tty.char_device.major + name: static_score normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.entry_leader.tty.char_device.minor: - dashed_name: process-entry-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.tty.char_device.minor + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.attested_user.risk.static_score_norm: + dashed_name: process-entry-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.attested_user.risk.static_score_norm level: extended - name: tty.char_device.minor + name: static_score_norm normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.entry_leader.user.id: - dashed_name: process-entry-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.user.id + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.attested_user.roles: + dashed_name: process-entry-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.attested_user.roles ignore_above: 1024 - level: core - name: id - normalize: [] + level: extended + name: roles + normalize: + - array original_fieldset: user - short: Unique identifier of the user. + short: Array of user roles at the time of the event. + synthetic_source_keep: none type: keyword -process.entry_leader.user.name: - dashed_name: process-entry-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.user.name +process.entry_leader.code_signature.digest_algorithm: + dashed_name: process-entry-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.entry_leader.code_signature.digest_algorithm ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.user.name.text - name: text - type: match_only_text - name: name + level: extended + name: digest_algorithm normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. type: keyword -process.entry_leader.vpid: - dashed_name: process-entry-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.entry_leader.vpid - format: string +process.entry_leader.code_signature.exists: + dashed_name: process-entry-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.entry_leader.code_signature.exists level: core - name: vpid + name: exists normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.entry_leader.working_directory: - dashed_name: process-entry-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.working_directory + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.entry_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.entry_leader.code_signature.flags ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.entry_leader.working_directory.text - name: text - type: match_only_text - name: working_directory + name: flags normalize: [] - original_fieldset: process - short: The working directory of the process. + original_fieldset: code_signature + short: Code signing flags of the process type: keyword -process.env_vars: - dashed_name: process-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. +process.entry_leader.code_signature.signing_id: + dashed_name: process-entry-leader-code-signature-signing-id + description: 'The identifier used to sign the process. - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.env_vars + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.entry_leader.code_signature.signing_id ignore_above: 1024 level: extended - name: env_vars - normalize: - - array - short: Array of environment variable bindings. - synthetic_source_keep: none + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword -process.executable: - dashed_name: process-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.executable +process.entry_leader.code_signature.status: + dashed_name: process-entry-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.entry_leader.code_signature.status ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.executable.text - name: text - type: match_only_text - name: executable + name: status normalize: [] - otel: - - attribute: process.executable.path - relation: equivalent - stability: development - short: Absolute path to the process executable. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword -process.exit_code: - dashed_name: process-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.exit_code - level: extended - name: exit_code +process.entry_leader.code_signature.subject_name: + dashed_name: process-entry-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.entry_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name normalize: [] - short: The exit code of the process. - type: long -process.group.id: - dashed_name: process-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group.id + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.entry_leader.code_signature.team_id: + dashed_name: process-entry-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.entry_leader.code_signature.team_id ignore_above: 1024 level: extended - name: id + name: team_id normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -process.group.name: - dashed_name: process-group-name - description: Name of the group. - flat_name: process.group.name - ignore_above: 1024 +process.entry_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.entry_leader.code_signature.thumbprint_sha256 + ignore_above: 64 level: extended - name: name + name: thumbprint_sha256 normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. type: keyword -process.group_leader.args: - dashed_name: process-group-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. +process.entry_leader.code_signature.timestamp: + dashed_name: process-entry-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.entry_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.entry_leader.code_signature.trusted: + dashed_name: process-entry-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.group_leader.args - ignore_above: 1024 + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.entry_leader.code_signature.trusted level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.group_leader.args_count: - dashed_name: process-group-leader-args-count - description: 'Length of the process.args array. + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.entry_leader.code_signature.valid: + dashed_name: process-entry-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.group_leader.args_count + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.entry_leader.code_signature.valid level: extended - name: args_count + name: valid normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.group_leader.command_line: - dashed_name: process-group-leader-command-line + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.entry_leader.command_line: + dashed_name: process-entry-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.group_leader.command_line + flat_name: process.entry_leader.command_line level: extended multi_fields: - - flat_name: process.group_leader.command_line.text + - flat_name: process.entry_leader.command_line.text name: text type: match_only_text name: command_line @@ -11194,598 +12304,1154 @@ process.group_leader.command_line: original_fieldset: process short: Full command line that started the process. type: wildcard -process.group_leader.entity_id: - dashed_name: process-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.group_leader.entity_id +process.entry_leader.elf.architecture: + dashed_name: process-entry-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.entry_leader.elf.architecture ignore_above: 1024 level: extended - name: entity_id + name: architecture normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -process.group_leader.executable: - dashed_name: process-group-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.group_leader.executable +process.entry_leader.elf.byte_order: + dashed_name: process-entry-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.entry_leader.elf.byte_order ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.group_leader.executable.text - name: text - type: match_only_text - name: executable + name: byte_order normalize: [] - original_fieldset: process - short: Absolute path to the process executable. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword -process.group_leader.group.id: - dashed_name: process-group-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.group.id +process.entry_leader.elf.cpu_type: + dashed_name: process-entry-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.entry_leader.elf.cpu_type ignore_above: 1024 level: extended - name: id + name: cpu_type normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword -process.group_leader.group.name: - dashed_name: process-group-leader-group-name - description: Name of the group. - flat_name: process.group_leader.group.name - ignore_above: 1024 +process.entry_leader.elf.creation_date: + dashed_name: process-entry-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.entry_leader.elf.creation_date level: extended - name: name + name: creation_date normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.interactive: - dashed_name: process-group-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.group_leader.interactive + original_fieldset: elf + short: Build or compile date. + type: date +process.entry_leader.elf.exports: + dashed_name: process-entry-leader-elf-exports + description: List of exported element names and types. + flat_name: process.entry_leader.elf.exports level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.group_leader.name: - dashed_name: process-group-leader-name - description: 'Process name. + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.entry_leader.elf.go_import_hash: + dashed_name: process-entry-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. - Sometimes called program name or similar.' - example: ssh - flat_name: process.group_leader.name + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.elf.go_import_hash ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.group_leader.name.text - name: text - type: match_only_text - name: name + name: go_import_hash normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.group_leader.pid: - dashed_name: process-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.group_leader.pid - format: string - level: core - name: pid + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.entry_leader.elf.go_imports: + dashed_name: process-entry-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.elf.go_imports + level: extended + name: go_imports normalize: [] - original_fieldset: process - otel: - - relation: match - stability: development - short: Process id. + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.elf.go_imports_names_entropy: + dashed_name: process-entry-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. type: long -process.group_leader.real_group.id: - dashed_name: process-group-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.real_group.id - ignore_above: 1024 +process.entry_leader.elf.go_imports_names_var_entropy: + dashed_name: process-entry-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.elf.go_imports_names_var_entropy + format: number level: extended - name: id + name: go_imports_names_var_entropy normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.real_group.name: - dashed_name: process-group-leader-real-group-name - description: Name of the group. - flat_name: process.group_leader.real_group.name + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.elf.go_stripped: + dashed_name: process-entry-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.elf.header.abi_version: + dashed_name: process-entry-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.entry_leader.elf.header.abi_version ignore_above: 1024 level: extended - name: name + name: header.abi_version normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -process.group_leader.real_user.id: - dashed_name: process-group-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.real_user.id +process.entry_leader.elf.header.class: + dashed_name: process-entry-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.entry_leader.elf.header.class ignore_above: 1024 - level: core - name: id + level: extended + name: header.class normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: elf + short: Header class of the ELF file. type: keyword -process.group_leader.real_user.name: - dashed_name: process-group-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.real_user.name +process.entry_leader.elf.header.data: + dashed_name: process-entry-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.entry_leader.elf.header.data ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.real_user.name.text - name: text - type: match_only_text - name: name + level: extended + name: header.data normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: elf + short: Data table of the ELF header. type: keyword -process.group_leader.same_as_process: - dashed_name: process-group-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.group_leader.same_as_process +process.entry_leader.elf.header.entrypoint: + dashed_name: process-entry-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.entry_leader.elf.header.entrypoint + format: string level: extended - name: same_as_process + name: header.entrypoint normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.group_leader.saved_group.id: - dashed_name: process-group-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.saved_group.id + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.entry_leader.elf.header.object_version: + dashed_name: process-entry-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.entry_leader.elf.header.object_version ignore_above: 1024 level: extended - name: id + name: header.object_version normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword -process.group_leader.saved_group.name: - dashed_name: process-group-leader-saved-group-name - description: Name of the group. - flat_name: process.group_leader.saved_group.name +process.entry_leader.elf.header.os_abi: + dashed_name: process-entry-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.entry_leader.elf.header.os_abi ignore_above: 1024 level: extended - name: name + name: header.os_abi normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword -process.group_leader.saved_user.id: - dashed_name: process-group-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.saved_user.id +process.entry_leader.elf.header.type: + dashed_name: process-entry-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.entry_leader.elf.header.type ignore_above: 1024 - level: core - name: id + level: extended + name: header.type normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: elf + short: Header type of the ELF file. type: keyword -process.group_leader.saved_user.name: - dashed_name: process-group-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.saved_user.name +process.entry_leader.elf.header.version: + dashed_name: process-entry-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.entry_leader.elf.header.version ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.group_leader.start: - dashed_name: process-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.group_leader.start level: extended - name: start + name: header.version normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.group_leader.supplemental_groups.id: - dashed_name: process-group-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.supplemental_groups.id + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.entry_leader.elf.import_hash: + dashed_name: process-entry-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.elf.import_hash ignore_above: 1024 level: extended - name: id + name: import_hash normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: A hash of the imports in an ELF file. type: keyword -process.group_leader.supplemental_groups.name: - dashed_name: process-group-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.group_leader.supplemental_groups.name - ignore_above: 1024 +process.entry_leader.elf.imports: + dashed_name: process-entry-leader-elf-imports + description: List of imported element names and types. + flat_name: process.entry_leader.elf.imports level: extended - name: name + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.entry_leader.elf.imports_names_entropy: + dashed_name: process-entry-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.tty: - dashed_name: process-group-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.group_leader.tty + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.elf.imports_names_var_entropy: + dashed_name: process-entry-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.elf.imports_names_var_entropy + format: number level: extended - name: tty + name: imports_names_var_entropy normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.group_leader.tty.char_device.major: - dashed_name: process-group-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.group_leader.tty.char_device.major + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.elf.sections: + dashed_name: process-entry-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.entry_leader.elf.sections level: extended - name: tty.char_device.major + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.entry_leader.elf.sections.chi2: + dashed_name: process-entry-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.entry_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 normalize: [] - original_fieldset: process - short: The TTY character device's major number. + original_fieldset: elf + short: Chi-square probability distribution of the section. type: long -process.group_leader.tty.char_device.minor: - dashed_name: process-group-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.group_leader.tty.char_device.minor +process.entry_leader.elf.sections.entropy: + dashed_name: process-entry-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.elf.sections.entropy + format: number level: extended - name: tty.char_device.minor + name: sections.entropy normalize: [] - original_fieldset: process - short: The TTY character device's minor number. + original_fieldset: elf + short: Shannon entropy calculation from the section. type: long -process.group_leader.user.id: - dashed_name: process-group-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.user.id +process.entry_leader.elf.sections.flags: + dashed_name: process-entry-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.entry_leader.elf.sections.flags ignore_above: 1024 - level: core - name: id + level: extended + name: sections.flags normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: elf + short: ELF Section List flags. type: keyword -process.group_leader.user.name: - dashed_name: process-group-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.user.name +process.entry_leader.elf.sections.name: + dashed_name: process-entry-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.entry_leader.elf.sections.name ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.user.name.text - name: text - type: match_only_text - name: name + level: extended + name: sections.name normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: elf + short: ELF Section List name. type: keyword -process.group_leader.vpid: - dashed_name: process-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.group_leader.working_directory: - dashed_name: process-group-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.group_leader.working_directory +process.entry_leader.elf.sections.physical_offset: + dashed_name: process-entry-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.entry_leader.elf.sections.physical_offset ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.group_leader.working_directory.text - name: text - type: match_only_text - name: working_directory + name: sections.physical_offset normalize: [] - original_fieldset: process - short: The working directory of the process. + original_fieldset: elf + short: ELF Section List offset. type: keyword -process.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.hash.cdhash - ignore_above: 1024 +process.entry_leader.elf.sections.physical_size: + dashed_name: process-entry-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.entry_leader.elf.sections.physical_size + format: bytes level: extended - name: cdhash + name: sections.physical_size normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.hash.md5: - dashed_name: process-hash-md5 - description: MD5 hash. - flat_name: process.hash.md5 + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.entry_leader.elf.sections.type: + dashed_name: process-entry-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.entry_leader.elf.sections.type ignore_above: 1024 level: extended - name: md5 + name: sections.type normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: elf + short: ELF Section List type. type: keyword -process.hash.sha1: - dashed_name: process-hash-sha1 - description: SHA1 hash. - flat_name: process.hash.sha1 - ignore_above: 1024 +process.entry_leader.elf.sections.var_entropy: + dashed_name: process-entry-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.elf.sections.var_entropy + format: number level: extended - name: sha1 + name: sections.var_entropy normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.hash.sha256: - dashed_name: process-hash-sha256 - description: SHA256 hash. - flat_name: process.hash.sha256 - ignore_above: 1024 + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.elf.sections.virtual_address: + dashed_name: process-entry-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.entry_leader.elf.sections.virtual_address + format: string level: extended - name: sha256 + name: sections.virtual_address normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.hash.sha384: - dashed_name: process-hash-sha384 - description: SHA384 hash. - flat_name: process.hash.sha384 + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.entry_leader.elf.sections.virtual_size: + dashed_name: process-entry-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.entry_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.entry_leader.elf.segments: + dashed_name: process-entry-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.entry_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.entry_leader.elf.segments.sections: + dashed_name: process-entry-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.entry_leader.elf.segments.sections ignore_above: 1024 level: extended - name: sha384 + name: segments.sections normalize: [] - original_fieldset: hash - short: SHA384 hash. + original_fieldset: elf + short: ELF object segment sections. type: keyword -process.hash.sha512: - dashed_name: process-hash-sha512 - description: SHA512 hash. - flat_name: process.hash.sha512 +process.entry_leader.elf.segments.type: + dashed_name: process-entry-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.entry_leader.elf.segments.type ignore_above: 1024 level: extended - name: sha512 + name: segments.type normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: elf + short: ELF object segment type. type: keyword -process.hash.ssdeep: - dashed_name: process-hash-ssdeep - description: SSDEEP hash. - flat_name: process.hash.ssdeep +process.entry_leader.elf.shared_libraries: + dashed_name: process-entry-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.entry_leader.elf.shared_libraries ignore_above: 1024 level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword -process.hash.tlsh: - dashed_name: process-hash-tlsh - description: TLSH hash. - flat_name: process.hash.tlsh +process.entry_leader.elf.telfhash: + dashed_name: process-entry-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.entry_leader.elf.telfhash ignore_above: 1024 level: extended - name: tlsh + name: telfhash normalize: [] - original_fieldset: hash - short: TLSH hash. + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword -process.interactive: - dashed_name: process-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.interactive +process.entry_leader.end: + dashed_name: process-entry-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.end level: extended - name: interactive + name: end normalize: [] - otel: - - relation: match - stability: development - short: Whether the process is connected to an interactive shell. + original_fieldset: process + short: The time the process ended. + type: date +process.entry_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.entry_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. type: boolean -process.io: - dashed_name: process-io +process.entry_leader.entity_id: + dashed_name: process-entry-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.entry_leader.entry_meta.source.address: + dashed_name: process-entry-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.entry_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.entry_leader.entry_meta.source.as.number: + dashed_name: process-entry-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.entry_leader.entry_meta.source.as.organization.name: + dashed_name: process-entry-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.entry_leader.entry_meta.source.bytes: + dashed_name: process-entry-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.entry_leader.entry_meta.source.domain: + dashed_name: process-entry-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.entry_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.entry_leader.entry_meta.source.geo.city_name: + dashed_name: process-entry-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.entry_leader.entry_meta.source.geo.continent_code: + dashed_name: process-entry-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.entry_leader.entry_meta.source.geo.continent_name: + dashed_name: process-entry-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.entry_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.entry_leader.entry_meta.source.geo.country_name: + dashed_name: process-entry-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.entry_leader.entry_meta.source.geo.location: + dashed_name: process-entry-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.entry_leader.entry_meta.source.geo.name: + dashed_name: process-entry-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.entry_leader.entry_meta.source.geo.postal_code: + dashed_name: process-entry-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.entry_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.entry_leader.entry_meta.source.geo.region_name: + dashed_name: process-entry-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.entry_leader.entry_meta.source.geo.timezone: + dashed_name: process-entry-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.entry_leader.entry_meta.source.ip: + dashed_name: process-entry-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.entry_leader.entry_meta.source.mac: + dashed_name: process-entry-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.entry_leader.entry_meta.source.nat.ip: + dashed_name: process-entry-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.entry_leader.entry_meta.source.nat.port: + dashed_name: process-entry-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.entry_leader.entry_meta.source.packets: + dashed_name: process-entry-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.entry_leader.entry_meta.source.port: + dashed_name: process-entry-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.entry_leader.entry_meta.source.registered_domain: + dashed_name: process-entry-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.entry_leader.entry_meta.source.subdomain: + dashed_name: process-entry-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.entry_leader.entry_meta.source.top_level_domain: + dashed_name: process-entry-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.entry_leader.entry_meta.type: + dashed_name: process-entry-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.entry_leader.env_vars: + dashed_name: process-entry-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.entry_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.entry_leader.executable: + dashed_name: process-entry-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.entry_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.entry_leader.exit_code: + dashed_name: process-entry-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.entry_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.entry_leader.group.domain: + dashed_name: process-entry-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.group.id: + dashed_name: process-entry-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.group.name: + dashed_name: process-entry-leader-group-name + description: Name of the group. + flat_name: process.entry_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.entry_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.entry_leader.hash.md5: + dashed_name: process-entry-leader-hash-md5 + description: MD5 hash. + flat_name: process.entry_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.entry_leader.hash.sha1: + dashed_name: process-entry-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.entry_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.entry_leader.hash.sha256: + dashed_name: process-entry-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.entry_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.entry_leader.hash.sha384: + dashed_name: process-entry-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.entry_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.entry_leader.hash.sha512: + dashed_name: process-entry-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.entry_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.entry_leader.hash.ssdeep: + dashed_name: process-entry-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.entry_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.entry_leader.hash.tlsh: + dashed_name: process-entry-leader-hash-tlsh + description: TLSH hash. + flat_name: process.entry_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.entry_leader.interactive: + dashed_name: process-entry-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.entry_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.entry_leader.io: + dashed_name: process-entry-leader-io description: 'A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input.' - flat_name: process.io + flat_name: process.entry_leader.io level: extended name: io normalize: [] + original_fieldset: process short: A chunk of input or output (IO) from a single process. type: object -process.io.bytes_skipped: - dashed_name: process-io-bytes-skipped +process.entry_leader.io.bytes_skipped: + dashed_name: process-entry-leader-io-bytes-skipped description: An array of byte offsets and lengths denoting where IO data has been skipped. - flat_name: process.io.bytes_skipped + flat_name: process.entry_leader.io.bytes_skipped level: extended name: io.bytes_skipped normalize: - array + original_fieldset: process short: An array of byte offsets and lengths denoting where IO data has been skipped. type: object -process.io.bytes_skipped.length: - dashed_name: process-io-bytes-skipped-length +process.entry_leader.io.bytes_skipped.length: + dashed_name: process-entry-leader-io-bytes-skipped-length description: The length of bytes skipped. - flat_name: process.io.bytes_skipped.length + flat_name: process.entry_leader.io.bytes_skipped.length level: extended name: io.bytes_skipped.length normalize: [] + original_fieldset: process short: The length of bytes skipped. type: long -process.io.bytes_skipped.offset: - dashed_name: process-io-bytes-skipped-offset +process.entry_leader.io.bytes_skipped.offset: + dashed_name: process-entry-leader-io-bytes-skipped-offset description: The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. - flat_name: process.io.bytes_skipped.offset + flat_name: process.entry_leader.io.bytes_skipped.offset level: extended name: io.bytes_skipped.offset normalize: [] + original_fieldset: process short: The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. type: long -process.io.max_bytes_per_process_exceeded: - dashed_name: process-io-max-bytes-per-process-exceeded +process.entry_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded description: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. - flat_name: process.io.max_bytes_per_process_exceeded + flat_name: process.entry_leader.io.max_bytes_per_process_exceeded level: extended name: io.max_bytes_per_process_exceeded normalize: [] + original_fieldset: process short: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. type: boolean -process.io.text: - dashed_name: process-io-text +process.entry_leader.io.text: + dashed_name: process-entry-leader-io-text description: 'A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.io.text + flat_name: process.entry_leader.io.text level: extended name: io.text normalize: [] + original_fieldset: process short: A chunk of output or input sanitized to UTF-8. type: wildcard -process.io.total_bytes_captured: - dashed_name: process-io-total-bytes-captured +process.entry_leader.io.total_bytes_captured: + dashed_name: process-entry-leader-io-total-bytes-captured description: The total number of bytes captured in this event. - flat_name: process.io.total_bytes_captured + flat_name: process.entry_leader.io.total_bytes_captured level: extended name: io.total_bytes_captured normalize: [] + original_fieldset: process short: The total number of bytes captured in this event. type: long -process.io.total_bytes_skipped: - dashed_name: process-io-total-bytes-skipped +process.entry_leader.io.total_bytes_skipped: + dashed_name: process-entry-leader-io-total-bytes-skipped description: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero - flat_name: process.io.total_bytes_skipped + flat_name: process.entry_leader.io.total_bytes_skipped level: extended name: io.total_bytes_skipped normalize: [] + original_fieldset: process short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. type: long -process.io.type: - dashed_name: process-io-type +process.entry_leader.io.type: + dashed_name: process-entry-leader-io-type description: 'The type of object on which the IO action (read or write) was taken. Currently only ''tty'' is supported. Other types may be added in the future for ''file'' and ''socket'' support.' - flat_name: process.io.type + flat_name: process.entry_leader.io.type ignore_above: 1024 level: extended name: io.type normalize: [] + original_fieldset: process short: The type of object on which the IO action (read or write) was taken. type: keyword -process.macho.go_import_hash: - dashed_name: process-macho-go-import-hash +process.entry_leader.macho.go_import_hash: + dashed_name: process-entry-leader-macho-go-import-hash description: 'A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -11794,7 +13460,7 @@ process.macho.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.macho.go_import_hash + flat_name: process.entry_leader.macho.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -11802,20 +13468,20 @@ process.macho.go_import_hash: original_fieldset: macho short: A hash of the Go language imports in a Mach-O file. type: keyword -process.macho.go_imports: - dashed_name: process-macho-go-imports +process.entry_leader.macho.go_imports: + dashed_name: process-entry-leader-macho-go-imports description: List of imported Go language element names and types. - flat_name: process.macho.go_imports + flat_name: process.entry_leader.macho.go_imports level: extended name: go_imports normalize: [] original_fieldset: macho short: List of imported Go language element names and types. type: flattened -process.macho.go_imports_names_entropy: - dashed_name: process-macho-go-imports-names-entropy +process.entry_leader.macho.go_imports_names_entropy: + dashed_name: process-entry-leader-macho-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_entropy + flat_name: process.entry_leader.macho.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -11823,10 +13489,10 @@ process.macho.go_imports_names_entropy: original_fieldset: macho short: Shannon entropy calculation from the list of Go imports. type: long -process.macho.go_imports_names_var_entropy: - dashed_name: process-macho-go-imports-names-var-entropy +process.entry_leader.macho.go_imports_names_var_entropy: + dashed_name: process-entry-leader-macho-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_var_entropy + flat_name: process.entry_leader.macho.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -11834,26 +13500,26 @@ process.macho.go_imports_names_var_entropy: original_fieldset: macho short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.macho.go_stripped: - dashed_name: process-macho-go-stripped +process.entry_leader.macho.go_stripped: + dashed_name: process-entry-leader-macho-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.macho.go_stripped + flat_name: process.entry_leader.macho.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: macho short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.macho.import_hash: - dashed_name: process-macho-import-hash +process.entry_leader.macho.import_hash: + dashed_name: process-entry-leader-macho-import-hash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.macho.import_hash + flat_name: process.entry_leader.macho.import_hash ignore_above: 1024 level: extended name: import_hash @@ -11861,10 +13527,10 @@ process.macho.import_hash: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword -process.macho.imports: - dashed_name: process-macho-imports +process.entry_leader.macho.imports: + dashed_name: process-entry-leader-macho-imports description: List of imported element names and types. - flat_name: process.macho.imports + flat_name: process.entry_leader.macho.imports level: extended name: imports normalize: @@ -11872,11 +13538,11 @@ process.macho.imports: original_fieldset: macho short: List of imported element names and types. type: flattened -process.macho.imports_names_entropy: - dashed_name: process-macho-imports-names-entropy +process.entry_leader.macho.imports_names_entropy: + dashed_name: process-entry-leader-macho-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.macho.imports_names_entropy + flat_name: process.entry_leader.macho.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -11884,11 +13550,11 @@ process.macho.imports_names_entropy: original_fieldset: macho short: Shannon entropy calculation from the list of imported element names and types. type: long -process.macho.imports_names_var_entropy: - dashed_name: process-macho-imports-names-var-entropy +process.entry_leader.macho.imports_names_var_entropy: + dashed_name: process-entry-leader-macho-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.macho.imports_names_var_entropy + flat_name: process.entry_leader.macho.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -11897,13 +13563,13 @@ process.macho.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.macho.sections: - dashed_name: process-macho-sections +process.entry_leader.macho.sections: + dashed_name: process-entry-leader-macho-sections description: 'An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.' - flat_name: process.macho.sections + flat_name: process.entry_leader.macho.sections level: extended name: sections normalize: @@ -11911,10 +13577,10 @@ process.macho.sections: original_fieldset: macho short: Section information of the Mach-O file. type: nested -process.macho.sections.entropy: - dashed_name: process-macho-sections-entropy +process.entry_leader.macho.sections.entropy: + dashed_name: process-entry-leader-macho-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.macho.sections.entropy + flat_name: process.entry_leader.macho.sections.entropy format: number level: extended name: sections.entropy @@ -11922,10 +13588,10 @@ process.macho.sections.entropy: original_fieldset: macho short: Shannon entropy calculation from the section. type: long -process.macho.sections.name: - dashed_name: process-macho-sections-name +process.entry_leader.macho.sections.name: + dashed_name: process-entry-leader-macho-sections-name description: Mach-O Section List name. - flat_name: process.macho.sections.name + flat_name: process.entry_leader.macho.sections.name ignore_above: 1024 level: extended name: sections.name @@ -11933,10 +13599,10 @@ process.macho.sections.name: original_fieldset: macho short: Mach-O Section List name. type: keyword -process.macho.sections.physical_size: - dashed_name: process-macho-sections-physical-size +process.entry_leader.macho.sections.physical_size: + dashed_name: process-entry-leader-macho-sections-physical-size description: Mach-O Section List physical size. - flat_name: process.macho.sections.physical_size + flat_name: process.entry_leader.macho.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -11944,10 +13610,10 @@ process.macho.sections.physical_size: original_fieldset: macho short: Mach-O Section List physical size. type: long -process.macho.sections.var_entropy: - dashed_name: process-macho-sections-var-entropy +process.entry_leader.macho.sections.var_entropy: + dashed_name: process-entry-leader-macho-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.macho.sections.var_entropy + flat_name: process.entry_leader.macho.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -11955,10 +13621,10 @@ process.macho.sections.var_entropy: original_fieldset: macho short: Variance for Shannon entropy calculation from the section. type: long -process.macho.sections.virtual_size: - dashed_name: process-macho-sections-virtual-size +process.entry_leader.macho.sections.virtual_size: + dashed_name: process-entry-leader-macho-sections-virtual-size description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.macho.sections.virtual_size + flat_name: process.entry_leader.macho.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -11966,15 +13632,15 @@ process.macho.sections.virtual_size: original_fieldset: macho short: Mach-O Section List virtual size. This is always the same as `physical_size`. type: long -process.macho.symhash: - dashed_name: process-macho-symhash +process.entry_leader.macho.symhash: + dashed_name: process-entry-leader-macho-symhash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash' example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.macho.symhash + flat_name: process.entry_leader.macho.symhash ignore_above: 1024 level: extended name: symhash @@ -11982,31 +13648,58 @@ process.macho.symhash: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword -process.name: - dashed_name: process-name +process.entry_leader.name: + dashed_name: process-entry-leader-name description: 'Process name. Sometimes called program name or similar.' example: ssh - flat_name: process.name + flat_name: process.entry_leader.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.name.text + - flat_name: process.entry_leader.name.text name: text type: match_only_text name: name normalize: [] + original_fieldset: process short: Process name. type: keyword -process.parent.args: - dashed_name: process-parent-args +process.entry_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.entry_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.entry_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.entry_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.entry_leader.parent.args: + dashed_name: process-entry-leader-parent-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.parent.args + flat_name: process.entry_leader.parent.args ignore_above: 1024 level: extended name: args @@ -12015,29 +13708,533 @@ process.parent.args: original_fieldset: process short: Array of process arguments. type: keyword -process.parent.args_count: - dashed_name: process-parent-args-count +process.entry_leader.parent.args_count: + dashed_name: process-entry-leader-parent-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 - flat_name: process.parent.args_count + flat_name: process.entry_leader.parent.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long -process.parent.code_signature.digest_algorithm: - dashed_name: process-parent-code-signature-digest-algorithm +process.entry_leader.parent.attested_groups.domain: + dashed_name: process-entry-leader-parent-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.attested_groups.id: + dashed_name: process-entry-leader-parent-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.attested_groups.name: + dashed_name: process-entry-leader-parent-attested-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.attested_user.domain: + dashed_name: process-entry-leader-parent-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.attested_user.email: + dashed_name: process-entry-leader-parent-attested-user-email + description: User email address. + flat_name: process.entry_leader.parent.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.attested_user.entity.id: + dashed_name: process-entry-leader-parent-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.attested_user.full_name: + dashed_name: process-entry-leader-parent-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.attested_user.group.domain: + dashed_name: process-entry-leader-parent-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.attested_user.group.id: + dashed_name: process-entry-leader-parent-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.attested_user.group.name: + dashed_name: process-entry-leader-parent-attested-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.attested_user.hash: + dashed_name: process-entry-leader-parent-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.attested_user.id: + dashed_name: process-entry-leader-parent-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.attested_user.name: + dashed_name: process-entry-leader-parent-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.attested_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.attested_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.attested_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.attested_user.risk.static_level: + dashed_name: process-entry-leader-parent-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.attested_user.risk.static_score: + dashed_name: process-entry-leader-parent-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.attested_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.attested_user.roles: + dashed_name: process-entry-leader-parent-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.code_signature.digest_algorithm: + dashed_name: process-entry-leader-parent-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.' example: sha256 - flat_name: process.parent.code_signature.digest_algorithm + flat_name: process.entry_leader.parent.code_signature.digest_algorithm ignore_above: 1024 level: extended name: digest_algorithm @@ -12045,23 +14242,23 @@ process.parent.code_signature.digest_algorithm: original_fieldset: code_signature short: Hashing algorithm used to sign the process. type: keyword -process.parent.code_signature.exists: - dashed_name: process-parent-code-signature-exists +process.entry_leader.parent.code_signature.exists: + dashed_name: process-entry-leader-parent-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: process.parent.code_signature.exists + flat_name: process.entry_leader.parent.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean -process.parent.code_signature.flags: +process.entry_leader.parent.code_signature.flags: beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-flags + dashed_name: process-entry-leader-parent-code-signature-flags description: The flags used to sign the process. example: 570522385 - flat_name: process.parent.code_signature.flags + flat_name: process.entry_leader.parent.code_signature.flags ignore_above: 1024 level: extended name: flags @@ -12069,14 +14266,14 @@ process.parent.code_signature.flags: original_fieldset: code_signature short: Code signing flags of the process type: keyword -process.parent.code_signature.signing_id: - dashed_name: process-parent-code-signature-signing-id +process.entry_leader.parent.code_signature.signing_id: + dashed_name: process-entry-leader-parent-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: process.parent.code_signature.signing_id + flat_name: process.entry_leader.parent.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -12084,15 +14281,15 @@ process.parent.code_signature.signing_id: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword -process.parent.code_signature.status: - dashed_name: process-parent-code-signature-status +process.entry_leader.parent.code_signature.status: + dashed_name: process-entry-leader-parent-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: process.parent.code_signature.status + flat_name: process.entry_leader.parent.code_signature.status ignore_above: 1024 level: extended name: status @@ -12100,11 +14297,11 @@ process.parent.code_signature.status: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword -process.parent.code_signature.subject_name: - dashed_name: process-parent-code-signature-subject-name +process.entry_leader.parent.code_signature.subject_name: + dashed_name: process-entry-leader-parent-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: process.parent.code_signature.subject_name + flat_name: process.entry_leader.parent.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -12112,14 +14309,14 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword -process.parent.code_signature.team_id: - dashed_name: process-parent-code-signature-team-id +process.entry_leader.parent.code_signature.team_id: + dashed_name: process-entry-leader-parent-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: process.parent.code_signature.team_id + flat_name: process.entry_leader.parent.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -12127,12 +14324,12 @@ process.parent.code_signature.team_id: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword -process.parent.code_signature.thumbprint_sha256: +process.entry_leader.parent.code_signature.thumbprint_sha256: beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-thumbprint-sha256 + dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256 description: Certificate SHA256 hash that uniquely identifies the code signer. example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.parent.code_signature.thumbprint_sha256 + flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256 ignore_above: 64 level: extended name: thumbprint_sha256 @@ -12141,39 +14338,39 @@ process.parent.code_signature.thumbprint_sha256: pattern: ^[0-9a-f]{64}$ short: SHA256 hash of the certificate. type: keyword -process.parent.code_signature.timestamp: - dashed_name: process-parent-code-signature-timestamp +process.entry_leader.parent.code_signature.timestamp: + dashed_name: process-entry-leader-parent-code-signature-timestamp description: Date and time when the code signature was generated and signed. example: '2021-01-01T12:10:30Z' - flat_name: process.parent.code_signature.timestamp + flat_name: process.entry_leader.parent.code_signature.timestamp level: extended name: timestamp normalize: [] original_fieldset: code_signature short: When the signature was generated and signed. type: date -process.parent.code_signature.trusted: - dashed_name: process-parent-code-signature-trusted +process.entry_leader.parent.code_signature.trusted: + dashed_name: process-entry-leader-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: process.parent.code_signature.trusted + flat_name: process.entry_leader.parent.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean -process.parent.code_signature.valid: - dashed_name: process-parent-code-signature-valid +process.entry_leader.parent.code_signature.valid: + dashed_name: process-entry-leader-parent-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: process.parent.code_signature.valid + flat_name: process.entry_leader.parent.code_signature.valid level: extended name: valid normalize: [] @@ -12181,17 +14378,17 @@ process.parent.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean -process.parent.command_line: - dashed_name: process-parent-command-line +process.entry_leader.parent.command_line: + dashed_name: process-entry-leader-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.parent.command_line + flat_name: process.entry_leader.parent.command_line level: extended multi_fields: - - flat_name: process.parent.command_line.text + - flat_name: process.entry_leader.parent.command_line.text name: text type: match_only_text name: command_line @@ -12199,11 +14396,11 @@ process.parent.command_line: original_fieldset: process short: Full command line that started the process. type: wildcard -process.parent.elf.architecture: - dashed_name: process-parent-elf-architecture +process.entry_leader.parent.elf.architecture: + dashed_name: process-entry-leader-parent-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: process.parent.elf.architecture + flat_name: process.entry_leader.parent.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -12211,11 +14408,11 @@ process.parent.elf.architecture: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword -process.parent.elf.byte_order: - dashed_name: process-parent-elf-byte-order +process.entry_leader.parent.elf.byte_order: + dashed_name: process-entry-leader-parent-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: process.parent.elf.byte_order + flat_name: process.entry_leader.parent.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -12223,11 +14420,11 @@ process.parent.elf.byte_order: original_fieldset: elf short: Byte sequence of ELF file. type: keyword -process.parent.elf.cpu_type: - dashed_name: process-parent-elf-cpu-type +process.entry_leader.parent.elf.cpu_type: + dashed_name: process-entry-leader-parent-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: process.parent.elf.cpu_type + flat_name: process.entry_leader.parent.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -12235,21 +14432,21 @@ process.parent.elf.cpu_type: original_fieldset: elf short: CPU type of the ELF file. type: keyword -process.parent.elf.creation_date: - dashed_name: process-parent-elf-creation-date +process.entry_leader.parent.elf.creation_date: + dashed_name: process-entry-leader-parent-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: process.parent.elf.creation_date + flat_name: process.entry_leader.parent.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date -process.parent.elf.exports: - dashed_name: process-parent-elf-exports +process.entry_leader.parent.elf.exports: + dashed_name: process-entry-leader-parent-elf-exports description: List of exported element names and types. - flat_name: process.parent.elf.exports + flat_name: process.entry_leader.parent.elf.exports level: extended name: exports normalize: @@ -12257,8 +14454,8 @@ process.parent.elf.exports: original_fieldset: elf short: List of exported element names and types. type: flattened -process.parent.elf.go_import_hash: - dashed_name: process-parent-elf-go-import-hash +process.entry_leader.parent.elf.go_import_hash: + dashed_name: process-entry-leader-parent-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -12267,7 +14464,7 @@ process.parent.elf.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.elf.go_import_hash + flat_name: process.entry_leader.parent.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -12275,20 +14472,20 @@ process.parent.elf.go_import_hash: original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword -process.parent.elf.go_imports: - dashed_name: process-parent-elf-go-imports +process.entry_leader.parent.elf.go_imports: + dashed_name: process-entry-leader-parent-elf-go-imports description: List of imported Go language element names and types. - flat_name: process.parent.elf.go_imports + flat_name: process.entry_leader.parent.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened -process.parent.elf.go_imports_names_entropy: - dashed_name: process-parent-elf-go-imports-names-entropy +process.entry_leader.parent.elf.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_entropy + flat_name: process.entry_leader.parent.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -12296,10 +14493,10 @@ process.parent.elf.go_imports_names_entropy: original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long -process.parent.elf.go_imports_names_var_entropy: - dashed_name: process-parent-elf-go-imports-names-var-entropy +process.entry_leader.parent.elf.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_var_entropy + flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -12307,21 +14504,21 @@ process.parent.elf.go_imports_names_var_entropy: original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.parent.elf.go_stripped: - dashed_name: process-parent-elf-go-stripped +process.entry_leader.parent.elf.go_stripped: + dashed_name: process-entry-leader-parent-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.elf.go_stripped + flat_name: process.entry_leader.parent.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.parent.elf.header.abi_version: - dashed_name: process-parent-elf-header-abi-version +process.entry_leader.parent.elf.header.abi_version: + dashed_name: process-entry-leader-parent-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.parent.elf.header.abi_version + flat_name: process.entry_leader.parent.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -12329,10 +14526,10 @@ process.parent.elf.header.abi_version: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword -process.parent.elf.header.class: - dashed_name: process-parent-elf-header-class +process.entry_leader.parent.elf.header.class: + dashed_name: process-entry-leader-parent-elf-header-class description: Header class of the ELF file. - flat_name: process.parent.elf.header.class + flat_name: process.entry_leader.parent.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -12340,10 +14537,10 @@ process.parent.elf.header.class: original_fieldset: elf short: Header class of the ELF file. type: keyword -process.parent.elf.header.data: - dashed_name: process-parent-elf-header-data +process.entry_leader.parent.elf.header.data: + dashed_name: process-entry-leader-parent-elf-header-data description: Data table of the ELF header. - flat_name: process.parent.elf.header.data + flat_name: process.entry_leader.parent.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -12351,10 +14548,10 @@ process.parent.elf.header.data: original_fieldset: elf short: Data table of the ELF header. type: keyword -process.parent.elf.header.entrypoint: - dashed_name: process-parent-elf-header-entrypoint +process.entry_leader.parent.elf.header.entrypoint: + dashed_name: process-entry-leader-parent-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: process.parent.elf.header.entrypoint + flat_name: process.entry_leader.parent.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -12362,10 +14559,10 @@ process.parent.elf.header.entrypoint: original_fieldset: elf short: Header entrypoint of the ELF file. type: long -process.parent.elf.header.object_version: - dashed_name: process-parent-elf-header-object-version +process.entry_leader.parent.elf.header.object_version: + dashed_name: process-entry-leader-parent-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: process.parent.elf.header.object_version + flat_name: process.entry_leader.parent.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -12373,10 +14570,10 @@ process.parent.elf.header.object_version: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword -process.parent.elf.header.os_abi: - dashed_name: process-parent-elf-header-os-abi +process.entry_leader.parent.elf.header.os_abi: + dashed_name: process-entry-leader-parent-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.parent.elf.header.os_abi + flat_name: process.entry_leader.parent.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -12384,10 +14581,10 @@ process.parent.elf.header.os_abi: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword -process.parent.elf.header.type: - dashed_name: process-parent-elf-header-type +process.entry_leader.parent.elf.header.type: + dashed_name: process-entry-leader-parent-elf-header-type description: Header type of the ELF file. - flat_name: process.parent.elf.header.type + flat_name: process.entry_leader.parent.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -12395,10 +14592,10 @@ process.parent.elf.header.type: original_fieldset: elf short: Header type of the ELF file. type: keyword -process.parent.elf.header.version: - dashed_name: process-parent-elf-header-version +process.entry_leader.parent.elf.header.version: + dashed_name: process-entry-leader-parent-elf-header-version description: Version of the ELF header. - flat_name: process.parent.elf.header.version + flat_name: process.entry_leader.parent.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -12406,15 +14603,15 @@ process.parent.elf.header.version: original_fieldset: elf short: Version of the ELF header. type: keyword -process.parent.elf.import_hash: - dashed_name: process-parent-elf-import-hash +process.entry_leader.parent.elf.import_hash: + dashed_name: process-entry-leader-parent-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.elf.import_hash + flat_name: process.entry_leader.parent.elf.import_hash ignore_above: 1024 level: extended name: import_hash @@ -12422,10 +14619,10 @@ process.parent.elf.import_hash: original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword -process.parent.elf.imports: - dashed_name: process-parent-elf-imports +process.entry_leader.parent.elf.imports: + dashed_name: process-entry-leader-parent-elf-imports description: List of imported element names and types. - flat_name: process.parent.elf.imports + flat_name: process.entry_leader.parent.elf.imports level: extended name: imports normalize: @@ -12433,11 +14630,11 @@ process.parent.elf.imports: original_fieldset: elf short: List of imported element names and types. type: flattened -process.parent.elf.imports_names_entropy: - dashed_name: process-parent-elf-imports-names-entropy +process.entry_leader.parent.elf.imports_names_entropy: + dashed_name: process-entry-leader-parent-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.parent.elf.imports_names_entropy + flat_name: process.entry_leader.parent.elf.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -12445,11 +14642,11 @@ process.parent.elf.imports_names_entropy: original_fieldset: elf short: Shannon entropy calculation from the list of imported element names and types. type: long -process.parent.elf.imports_names_var_entropy: - dashed_name: process-parent-elf-imports-names-var-entropy +process.entry_leader.parent.elf.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.parent.elf.imports_names_var_entropy + flat_name: process.entry_leader.parent.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -12458,13 +14655,13 @@ process.parent.elf.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.parent.elf.sections: - dashed_name: process-parent-elf-sections +process.entry_leader.parent.elf.sections: + dashed_name: process-entry-leader-parent-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: process.parent.elf.sections + flat_name: process.entry_leader.parent.elf.sections level: extended name: sections normalize: @@ -12472,10 +14669,10 @@ process.parent.elf.sections: original_fieldset: elf short: Section information of the ELF file. type: nested -process.parent.elf.sections.chi2: - dashed_name: process-parent-elf-sections-chi2 +process.entry_leader.parent.elf.sections.chi2: + dashed_name: process-entry-leader-parent-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: process.parent.elf.sections.chi2 + flat_name: process.entry_leader.parent.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -12483,10 +14680,10 @@ process.parent.elf.sections.chi2: original_fieldset: elf short: Chi-square probability distribution of the section. type: long -process.parent.elf.sections.entropy: - dashed_name: process-parent-elf-sections-entropy +process.entry_leader.parent.elf.sections.entropy: + dashed_name: process-entry-leader-parent-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.entropy + flat_name: process.entry_leader.parent.elf.sections.entropy format: number level: extended name: sections.entropy @@ -12494,10 +14691,10 @@ process.parent.elf.sections.entropy: original_fieldset: elf short: Shannon entropy calculation from the section. type: long -process.parent.elf.sections.flags: - dashed_name: process-parent-elf-sections-flags +process.entry_leader.parent.elf.sections.flags: + dashed_name: process-entry-leader-parent-elf-sections-flags description: ELF Section List flags. - flat_name: process.parent.elf.sections.flags + flat_name: process.entry_leader.parent.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -12505,10 +14702,10 @@ process.parent.elf.sections.flags: original_fieldset: elf short: ELF Section List flags. type: keyword -process.parent.elf.sections.name: - dashed_name: process-parent-elf-sections-name +process.entry_leader.parent.elf.sections.name: + dashed_name: process-entry-leader-parent-elf-sections-name description: ELF Section List name. - flat_name: process.parent.elf.sections.name + flat_name: process.entry_leader.parent.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -12516,10 +14713,10 @@ process.parent.elf.sections.name: original_fieldset: elf short: ELF Section List name. type: keyword -process.parent.elf.sections.physical_offset: - dashed_name: process-parent-elf-sections-physical-offset +process.entry_leader.parent.elf.sections.physical_offset: + dashed_name: process-entry-leader-parent-elf-sections-physical-offset description: ELF Section List offset. - flat_name: process.parent.elf.sections.physical_offset + flat_name: process.entry_leader.parent.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -12527,10 +14724,10 @@ process.parent.elf.sections.physical_offset: original_fieldset: elf short: ELF Section List offset. type: keyword -process.parent.elf.sections.physical_size: - dashed_name: process-parent-elf-sections-physical-size +process.entry_leader.parent.elf.sections.physical_size: + dashed_name: process-entry-leader-parent-elf-sections-physical-size description: ELF Section List physical size. - flat_name: process.parent.elf.sections.physical_size + flat_name: process.entry_leader.parent.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -12538,10 +14735,10 @@ process.parent.elf.sections.physical_size: original_fieldset: elf short: ELF Section List physical size. type: long -process.parent.elf.sections.type: - dashed_name: process-parent-elf-sections-type +process.entry_leader.parent.elf.sections.type: + dashed_name: process-entry-leader-parent-elf-sections-type description: ELF Section List type. - flat_name: process.parent.elf.sections.type + flat_name: process.entry_leader.parent.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -12549,10 +14746,10 @@ process.parent.elf.sections.type: original_fieldset: elf short: ELF Section List type. type: keyword -process.parent.elf.sections.var_entropy: - dashed_name: process-parent-elf-sections-var-entropy +process.entry_leader.parent.elf.sections.var_entropy: + dashed_name: process-entry-leader-parent-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.var_entropy + flat_name: process.entry_leader.parent.elf.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -12560,10 +14757,10 @@ process.parent.elf.sections.var_entropy: original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long -process.parent.elf.sections.virtual_address: - dashed_name: process-parent-elf-sections-virtual-address +process.entry_leader.parent.elf.sections.virtual_address: + dashed_name: process-entry-leader-parent-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: process.parent.elf.sections.virtual_address + flat_name: process.entry_leader.parent.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -12571,10 +14768,10 @@ process.parent.elf.sections.virtual_address: original_fieldset: elf short: ELF Section List virtual address. type: long -process.parent.elf.sections.virtual_size: - dashed_name: process-parent-elf-sections-virtual-size +process.entry_leader.parent.elf.sections.virtual_size: + dashed_name: process-entry-leader-parent-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: process.parent.elf.sections.virtual_size + flat_name: process.entry_leader.parent.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -12582,13 +14779,13 @@ process.parent.elf.sections.virtual_size: original_fieldset: elf short: ELF Section List virtual size. type: long -process.parent.elf.segments: - dashed_name: process-parent-elf-segments +process.entry_leader.parent.elf.segments: + dashed_name: process-entry-leader-parent-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: process.parent.elf.segments + flat_name: process.entry_leader.parent.elf.segments level: extended name: segments normalize: @@ -12596,10 +14793,10 @@ process.parent.elf.segments: original_fieldset: elf short: ELF object segment list. type: nested -process.parent.elf.segments.sections: - dashed_name: process-parent-elf-segments-sections +process.entry_leader.parent.elf.segments.sections: + dashed_name: process-entry-leader-parent-elf-segments-sections description: ELF object segment sections. - flat_name: process.parent.elf.segments.sections + flat_name: process.entry_leader.parent.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -12607,10 +14804,10 @@ process.parent.elf.segments.sections: original_fieldset: elf short: ELF object segment sections. type: keyword -process.parent.elf.segments.type: - dashed_name: process-parent-elf-segments-type +process.entry_leader.parent.elf.segments.type: + dashed_name: process-entry-leader-parent-elf-segments-type description: ELF object segment type. - flat_name: process.parent.elf.segments.type + flat_name: process.entry_leader.parent.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -12618,10 +14815,10 @@ process.parent.elf.segments.type: original_fieldset: elf short: ELF object segment type. type: keyword -process.parent.elf.shared_libraries: - dashed_name: process-parent-elf-shared-libraries +process.entry_leader.parent.elf.shared_libraries: + dashed_name: process-entry-leader-parent-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: process.parent.elf.shared_libraries + flat_name: process.entry_leader.parent.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -12630,10 +14827,10 @@ process.parent.elf.shared_libraries: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword -process.parent.elf.telfhash: - dashed_name: process-parent-elf-telfhash +process.entry_leader.parent.elf.telfhash: + dashed_name: process-entry-leader-parent-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: process.parent.elf.telfhash + flat_name: process.entry_leader.parent.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -12641,19 +14838,31 @@ process.parent.elf.telfhash: original_fieldset: elf short: telfhash hash for ELF file. type: keyword -process.parent.end: - dashed_name: process-parent-end +process.entry_leader.parent.end: + dashed_name: process-entry-leader-parent-end description: The time the process ended. example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.end + flat_name: process.entry_leader.parent.end level: extended name: end normalize: [] original_fieldset: process short: The time the process ended. type: date -process.parent.entity_id: - dashed_name: process-parent-entity-id +process.entry_leader.parent.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.entry_leader.parent.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.entry_leader.parent.entity_id: + dashed_name: process-entry-leader-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples @@ -12664,7 +14873,7 @@ process.parent.entity_id: reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d - flat_name: process.parent.entity_id + flat_name: process.entry_leader.parent.entity_id ignore_above: 1024 level: extended name: entity_id @@ -12672,15 +14881,388 @@ process.parent.entity_id: original_fieldset: process short: Unique identifier for the process. type: keyword -process.parent.executable: - dashed_name: process-parent-executable +process.entry_leader.parent.entry_meta.source.address: + dashed_name: process-entry-leader-parent-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.entry_leader.parent.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.entry_leader.parent.entry_meta.source.as.number: + dashed_name: process-entry-leader-parent-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_leader.parent.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.entry_leader.parent.entry_meta.source.as.organization.name: + dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.entry_leader.parent.entry_meta.source.bytes: + dashed_name: process-entry-leader-parent-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_leader.parent.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.entry_leader.parent.entry_meta.source.domain: + dashed_name: process-entry-leader-parent-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.entry_leader.parent.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.city_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.continent_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.continent_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.country_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.location: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_leader.parent.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.entry_leader.parent.entry_meta.source.geo.name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_leader.parent.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.postal_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.region_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.entry_leader.parent.entry_meta.source.geo.timezone: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.entry_leader.parent.entry_meta.source.ip: + dashed_name: process-entry-leader-parent-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.parent.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.entry_leader.parent.entry_meta.source.mac: + dashed_name: process-entry-leader-parent-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_leader.parent.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.entry_leader.parent.entry_meta.source.nat.ip: + dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.entry_leader.parent.entry_meta.source.nat.port: + dashed_name: process-entry-leader-parent-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.entry_leader.parent.entry_meta.source.packets: + dashed_name: process-entry-leader-parent-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_leader.parent.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.entry_leader.parent.entry_meta.source.port: + dashed_name: process-entry-leader-parent-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_leader.parent.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.entry_leader.parent.entry_meta.source.registered_domain: + dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_leader.parent.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.entry_leader.parent.entry_meta.source.subdomain: + dashed_name: process-entry-leader-parent-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_leader.parent.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.entry_leader.parent.entry_meta.source.top_level_domain: + dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.entry_leader.parent.entry_meta.type: + dashed_name: process-entry-leader-parent-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.parent.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.entry_leader.parent.env_vars: + dashed_name: process-entry-leader-parent-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.entry_leader.parent.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.executable: + dashed_name: process-entry-leader-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh - flat_name: process.parent.executable + flat_name: process.entry_leader.parent.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.executable.text + - flat_name: process.entry_leader.parent.executable.text name: text type: match_only_text name: executable @@ -12688,24 +15270,37 @@ process.parent.executable: original_fieldset: process short: Absolute path to the process executable. type: keyword -process.parent.exit_code: - dashed_name: process-parent-exit-code +process.entry_leader.parent.exit_code: + dashed_name: process-entry-leader-parent-exit-code description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 - flat_name: process.parent.exit_code + flat_name: process.entry_leader.parent.exit_code level: extended name: exit_code normalize: [] original_fieldset: process short: The exit code of the process. type: long -process.parent.group.id: - dashed_name: process-parent-group-id +process.entry_leader.parent.group.domain: + dashed_name: process-entry-leader-parent-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.group.id: + dashed_name: process-entry-leader-parent-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group.id + flat_name: process.entry_leader.parent.group.id ignore_above: 1024 level: extended name: id @@ -12713,10 +15308,10 @@ process.parent.group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.parent.group.name: - dashed_name: process-parent-group-name +process.entry_leader.parent.group.name: + dashed_name: process-entry-leader-parent-group-name description: Name of the group. - flat_name: process.parent.group.name + flat_name: process.entry_leader.parent.group.name ignore_above: 1024 level: extended name: name @@ -12724,695 +15319,41142 @@ process.parent.group.name: original_fieldset: group short: Name of the group. type: keyword -process.parent.group_leader.entity_id: - dashed_name: process-parent-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.parent.group_leader.entity_id +process.entry_leader.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.entry_leader.parent.hash.cdhash ignore_above: 1024 level: extended - name: entity_id + name: cdhash normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. type: keyword -process.parent.group_leader.pid: - dashed_name: process-parent-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.parent.group_leader.pid - format: string - level: core - name: pid +process.entry_leader.parent.hash.md5: + dashed_name: process-entry-leader-parent-hash-md5 + description: MD5 hash. + flat_name: process.entry_leader.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 normalize: [] - original_fieldset: process - short: Process id. - type: long -process.parent.group_leader.start: - dashed_name: process-parent-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.group_leader.start + original_fieldset: hash + short: MD5 hash. + type: keyword +process.entry_leader.parent.hash.sha1: + dashed_name: process-entry-leader-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.entry_leader.parent.hash.sha1 + ignore_above: 1024 level: extended - name: start + name: sha1 normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.parent.group_leader.vpid: - dashed_name: process-parent-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.parent.group_leader.vpid - format: string - level: core - name: vpid + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.entry_leader.parent.hash.sha256: + dashed_name: process-entry-leader-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.entry_leader.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.parent.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-parent-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.parent.hash.cdhash + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.entry_leader.parent.hash.sha384: + dashed_name: process-entry-leader-parent-hash-sha384 + description: SHA384 hash. + flat_name: process.entry_leader.parent.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.entry_leader.parent.hash.sha512: + dashed_name: process-entry-leader-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.entry_leader.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.entry_leader.parent.hash.ssdeep: + dashed_name: process-entry-leader-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.entry_leader.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.entry_leader.parent.hash.tlsh: + dashed_name: process-entry-leader-parent-hash-tlsh + description: TLSH hash. + flat_name: process.entry_leader.parent.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.entry_leader.parent.interactive: + dashed_name: process-entry-leader-parent-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.entry_leader.parent.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.entry_leader.parent.io: + dashed_name: process-entry-leader-parent-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.entry_leader.parent.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.entry_leader.parent.io.bytes_skipped: + dashed_name: process-entry-leader-parent-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.entry_leader.parent.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.entry_leader.parent.io.bytes_skipped.length: + dashed_name: process-entry-leader-parent-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.entry_leader.parent.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.entry_leader.parent.io.bytes_skipped.offset: + dashed_name: process-entry-leader-parent-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.entry_leader.parent.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.entry_leader.parent.io.max_bytes_per_process_exceeded: + dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.entry_leader.parent.io.text: + dashed_name: process-entry-leader-parent-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.entry_leader.parent.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.entry_leader.parent.io.total_bytes_captured: + dashed_name: process-entry-leader-parent-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.entry_leader.parent.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.entry_leader.parent.io.total_bytes_skipped: + dashed_name: process-entry-leader-parent-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.entry_leader.parent.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.entry_leader.parent.io.type: + dashed_name: process-entry-leader-parent-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.entry_leader.parent.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.entry_leader.parent.macho.go_import_hash: + dashed_name: process-entry-leader-parent-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.entry_leader.parent.macho.go_imports: + dashed_name: process-entry-leader-parent-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.parent.macho.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.macho.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.macho.go_stripped: + dashed_name: process-entry-leader-parent-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.parent.macho.import_hash: + dashed_name: process-entry-leader-parent-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.entry_leader.parent.macho.imports: + dashed_name: process-entry-leader-parent-macho-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.entry_leader.parent.macho.imports_names_entropy: + dashed_name: process-entry-leader-parent-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.parent.macho.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.parent.macho.sections: + dashed_name: process-entry-leader-parent-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.entry_leader.parent.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.entry_leader.parent.macho.sections.entropy: + dashed_name: process-entry-leader-parent-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.macho.sections.name: + dashed_name: process-entry-leader-parent-macho-sections-name + description: Mach-O Section List name. + flat_name: process.entry_leader.parent.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.entry_leader.parent.macho.sections.physical_size: + dashed_name: process-entry-leader-parent-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.entry_leader.parent.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.entry_leader.parent.macho.sections.var_entropy: + dashed_name: process-entry-leader-parent-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.macho.sections.virtual_size: + dashed_name: process-entry-leader-parent-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.entry_leader.parent.macho.symhash: + dashed_name: process-entry-leader-parent-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.entry_leader.parent.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.entry_leader.parent.name: + dashed_name: process-entry-leader-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.entry_leader.parent.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.entry_leader.parent.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.entry_leader.parent.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.entry_leader.parent.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.entry_leader.parent.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.entry_leader.parent.pe.architecture: + dashed_name: process-entry-leader-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.entry_leader.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.entry_leader.parent.pe.company: + dashed_name: process-entry-leader-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.entry_leader.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.pe.description: + dashed_name: process-entry-leader-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.entry_leader.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.pe.file_version: + dashed_name: process-entry-leader-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.entry_leader.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.entry_leader.parent.pe.go_import_hash: + dashed_name: process-entry-leader-parent-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.entry_leader.parent.pe.go_imports: + dashed_name: process-entry-leader-parent-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.parent.pe.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.pe.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.pe.go_stripped: + dashed_name: process-entry-leader-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.parent.pe.imphash: + dashed_name: process-entry-leader-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.entry_leader.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.entry_leader.parent.pe.import_hash: + dashed_name: process-entry-leader-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.entry_leader.parent.pe.imports: + dashed_name: process-entry-leader-parent-pe-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.entry_leader.parent.pe.imports_names_entropy: + dashed_name: process-entry-leader-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.parent.pe.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.parent.pe.original_file_name: + dashed_name: process-entry-leader-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.entry_leader.parent.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.pe.pehash: + dashed_name: process-entry-leader-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.entry_leader.parent.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.entry_leader.parent.pe.product: + dashed_name: process-entry-leader-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.entry_leader.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.pe.sections: + dashed_name: process-entry-leader-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.entry_leader.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.entry_leader.parent.pe.sections.entropy: + dashed_name: process-entry-leader-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.pe.sections.name: + dashed_name: process-entry-leader-parent-pe-sections-name + description: PE Section List name. + flat_name: process.entry_leader.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.entry_leader.parent.pe.sections.physical_size: + dashed_name: process-entry-leader-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.entry_leader.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.entry_leader.parent.pe.sections.var_entropy: + dashed_name: process-entry-leader-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.pe.sections.virtual_size: + dashed_name: process-entry-leader-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.entry_leader.parent.pid: + dashed_name: process-entry-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.entry_leader.parent.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.entry_leader.parent.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.entry_leader.parent.real_group.domain: + dashed_name: process-entry-leader-parent-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.real_group.id: + dashed_name: process-entry-leader-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.real_group.name: + dashed_name: process-entry-leader-parent-real-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.real_user.domain: + dashed_name: process-entry-leader-parent-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.real_user.email: + dashed_name: process-entry-leader-parent-real-user-email + description: User email address. + flat_name: process.entry_leader.parent.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.real_user.entity.id: + dashed_name: process-entry-leader-parent-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.real_user.full_name: + dashed_name: process-entry-leader-parent-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.real_user.group.domain: + dashed_name: process-entry-leader-parent-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.real_user.group.id: + dashed_name: process-entry-leader-parent-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.real_user.group.name: + dashed_name: process-entry-leader-parent-real-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.real_user.hash: + dashed_name: process-entry-leader-parent-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.real_user.id: + dashed_name: process-entry-leader-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.real_user.name: + dashed_name: process-entry-leader-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.real_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.real_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.real_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.real_user.risk.static_level: + dashed_name: process-entry-leader-parent-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.real_user.risk.static_score: + dashed_name: process-entry-leader-parent-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.real_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.real_user.roles: + dashed_name: process-entry-leader-parent-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.same_as_process: + dashed_name: process-entry-leader-parent-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.parent.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.entry_leader.parent.saved_group.domain: + dashed_name: process-entry-leader-parent-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.saved_group.id: + dashed_name: process-entry-leader-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.saved_group.name: + dashed_name: process-entry-leader-parent-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.saved_user.domain: + dashed_name: process-entry-leader-parent-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.saved_user.email: + dashed_name: process-entry-leader-parent-saved-user-email + description: User email address. + flat_name: process.entry_leader.parent.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.saved_user.entity.id: + dashed_name: process-entry-leader-parent-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.saved_user.full_name: + dashed_name: process-entry-leader-parent-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.saved_user.group.domain: + dashed_name: process-entry-leader-parent-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.saved_user.group.id: + dashed_name: process-entry-leader-parent-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.saved_user.group.name: + dashed_name: process-entry-leader-parent-saved-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.saved_user.hash: + dashed_name: process-entry-leader-parent-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.saved_user.id: + dashed_name: process-entry-leader-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.saved_user.name: + dashed_name: process-entry-leader-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.saved_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.saved_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.saved_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.saved_user.risk.static_level: + dashed_name: process-entry-leader-parent-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.saved_user.risk.static_score: + dashed_name: process-entry-leader-parent-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.saved_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.saved_user.roles: + dashed_name: process-entry-leader-parent-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.args: + dashed_name: process-entry-leader-parent-session-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.entry_leader.parent.session_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.entry_leader.parent.session_leader.args_count: + dashed_name: process-entry-leader-parent-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.entry_leader.parent.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.entry_leader.parent.session_leader.attested_groups.domain: + dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.attested_groups.id: + dashed_name: process-entry-leader-parent-session-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.attested_groups.name: + dashed_name: process-entry-leader-parent-session-leader-attested-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.attested_user.domain: + dashed_name: process-entry-leader-parent-session-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.session_leader.attested_user.email: + dashed_name: process-entry-leader-parent-session-leader-attested-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.session_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.session_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.session_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.session_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.session_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.session_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.session_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.session_leader.attested_user.full_name: + dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.session_leader.attested_user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.attested_user.group.id: + dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.attested_user.group.name: + dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.attested_user.hash: + dashed_name: process-entry-leader-parent-session-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.session_leader.attested_user.id: + dashed_name: process-entry-leader-parent-session-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.session_leader.attested_user.name: + dashed_name: process-entry-leader-parent-session-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.session_leader.attested_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.session_leader.attested_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.session_leader.attested_user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.session_leader.attested_user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.session_leader.attested_user.roles: + dashed_name: process-entry-leader-parent-session-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.code_signature.digest_algorithm: + dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.entry_leader.parent.session_leader.code_signature.exists: + dashed_name: process-entry-leader-parent-session-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.entry_leader.parent.session_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.entry_leader.parent.session_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.entry_leader.parent.session_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.entry_leader.parent.session_leader.code_signature.signing_id: + dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.entry_leader.parent.session_leader.code_signature.status: + dashed_name: process-entry-leader-parent-session-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.entry_leader.parent.session_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.entry_leader.parent.session_leader.code_signature.subject_name: + dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.entry_leader.parent.session_leader.code_signature.team_id: + dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.entry_leader.parent.session_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.entry_leader.parent.session_leader.code_signature.timestamp: + dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.entry_leader.parent.session_leader.code_signature.trusted: + dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.entry_leader.parent.session_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.entry_leader.parent.session_leader.code_signature.valid: + dashed_name: process-entry-leader-parent-session-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.entry_leader.parent.session_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.entry_leader.parent.session_leader.command_line: + dashed_name: process-entry-leader-parent-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.entry_leader.parent.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.entry_leader.parent.session_leader.elf.architecture: + dashed_name: process-entry-leader-parent-session-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.entry_leader.parent.session_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.byte_order: + dashed_name: process-entry-leader-parent-session-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.entry_leader.parent.session_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.cpu_type: + dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.entry_leader.parent.session_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.creation_date: + dashed_name: process-entry-leader-parent-session-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.entry_leader.parent.session_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.entry_leader.parent.session_leader.elf.exports: + dashed_name: process-entry-leader-parent-session-leader-elf-exports + description: List of exported element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.entry_leader.parent.session_leader.elf.go_import_hash: + dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.go_imports: + dashed_name: process-entry-leader-parent-session-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.parent.session_leader.elf.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.session_leader.elf.go_stripped: + dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.session_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.parent.session_leader.elf.header.abi_version: + dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.entry_leader.parent.session_leader.elf.header.class: + dashed_name: process-entry-leader-parent-session-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.header.data: + dashed_name: process-entry-leader-parent-session-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.entry_leader.parent.session_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.entry_leader.parent.session_leader.elf.header.entrypoint: + dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.entry_leader.parent.session_leader.elf.header.object_version: + dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.entry_leader.parent.session_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.entry_leader.parent.session_leader.elf.header.os_abi: + dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.entry_leader.parent.session_leader.elf.header.type: + dashed_name: process-entry-leader-parent-session-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.header.version: + dashed_name: process-entry-leader-parent-session-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.entry_leader.parent.session_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.entry_leader.parent.session_leader.elf.import_hash: + dashed_name: process-entry-leader-parent-session-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.session_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.entry_leader.parent.session_leader.elf.imports: + dashed_name: process-entry-leader-parent-session-leader-elf-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.entry_leader.parent.session_leader.elf.imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.parent.session_leader.elf.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.parent.session_leader.elf.sections: + dashed_name: process-entry-leader-parent-session-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.entry_leader.parent.session_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.entry_leader.parent.session_leader.elf.sections.chi2: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.entry_leader.parent.session_leader.elf.sections.entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.session_leader.elf.sections.flags: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.entry_leader.parent.session_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.entry_leader.parent.session_leader.elf.sections.name: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.entry_leader.parent.session_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.entry_leader.parent.session_leader.elf.sections.physical_offset: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.entry_leader.parent.session_leader.elf.sections.physical_size: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.entry_leader.parent.session_leader.elf.sections.type: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.entry_leader.parent.session_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.entry_leader.parent.session_leader.elf.sections.var_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.session_leader.elf.sections.virtual_address: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.entry_leader.parent.session_leader.elf.sections.virtual_size: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.entry_leader.parent.session_leader.elf.segments: + dashed_name: process-entry-leader-parent-session-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.entry_leader.parent.session_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.entry_leader.parent.session_leader.elf.segments.sections: + dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.entry_leader.parent.session_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.entry_leader.parent.session_leader.elf.segments.type: + dashed_name: process-entry-leader-parent-session-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.entry_leader.parent.session_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.entry_leader.parent.session_leader.elf.shared_libraries: + dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.entry_leader.parent.session_leader.elf.telfhash: + dashed_name: process-entry-leader-parent-session-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.entry_leader.parent.session_leader.end: + dashed_name: process-entry-leader-parent-session-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.session_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.entry_leader.parent.session_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.entry_leader.parent.session_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.entry_leader.parent.session_leader.entity_id: + dashed_name: process-entry-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.parent.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.address: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.as.number: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.bytes: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.entry_leader.parent.session_leader.entry_meta.source.domain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.location: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.entry_leader.parent.session_leader.entry_meta.source.geo.name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.ip: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.entry_leader.parent.session_leader.entry_meta.source.mac: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.nat.ip: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.entry_leader.parent.session_leader.entry_meta.source.nat.port: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.entry_leader.parent.session_leader.entry_meta.source.packets: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.entry_leader.parent.session_leader.entry_meta.source.port: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.entry_leader.parent.session_leader.entry_meta.source.registered_domain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.subdomain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.entry_leader.parent.session_leader.entry_meta.type: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.entry_leader.parent.session_leader.env_vars: + dashed_name: process-entry-leader-parent-session-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.entry_leader.parent.session_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.executable: + dashed_name: process-entry-leader-parent-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.entry_leader.parent.session_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.entry_leader.parent.session_leader.exit_code: + dashed_name: process-entry-leader-parent-session-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.entry_leader.parent.session_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.entry_leader.parent.session_leader.group.domain: + dashed_name: process-entry-leader-parent-session-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.group.id: + dashed_name: process-entry-leader-parent-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.group.name: + dashed_name: process-entry-leader-parent-session-leader-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.entry_leader.parent.session_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.entry_leader.parent.session_leader.hash.md5: + dashed_name: process-entry-leader-parent-session-leader-hash-md5 + description: MD5 hash. + flat_name: process.entry_leader.parent.session_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.entry_leader.parent.session_leader.hash.sha1: + dashed_name: process-entry-leader-parent-session-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.entry_leader.parent.session_leader.hash.sha256: + dashed_name: process-entry-leader-parent-session-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.entry_leader.parent.session_leader.hash.sha384: + dashed_name: process-entry-leader-parent-session-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.entry_leader.parent.session_leader.hash.sha512: + dashed_name: process-entry-leader-parent-session-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.entry_leader.parent.session_leader.hash.ssdeep: + dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.entry_leader.parent.session_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.entry_leader.parent.session_leader.hash.tlsh: + dashed_name: process-entry-leader-parent-session-leader-hash-tlsh + description: TLSH hash. + flat_name: process.entry_leader.parent.session_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.entry_leader.parent.session_leader.interactive: + dashed_name: process-entry-leader-parent-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.entry_leader.parent.session_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.entry_leader.parent.session_leader.io: + dashed_name: process-entry-leader-parent-session-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.entry_leader.parent.session_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.entry_leader.parent.session_leader.io.bytes_skipped: + dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.entry_leader.parent.session_leader.io.bytes_skipped.length: + dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.entry_leader.parent.session_leader.io.bytes_skipped.offset: + dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.entry_leader.parent.session_leader.io.text: + dashed_name: process-entry-leader-parent-session-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.entry_leader.parent.session_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.entry_leader.parent.session_leader.io.total_bytes_captured: + dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.entry_leader.parent.session_leader.io.total_bytes_skipped: + dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.entry_leader.parent.session_leader.io.type: + dashed_name: process-entry-leader-parent-session-leader-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.entry_leader.parent.session_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.entry_leader.parent.session_leader.macho.go_import_hash: + dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.entry_leader.parent.session_leader.macho.go_imports: + dashed_name: process-entry-leader-parent-session-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.session_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.parent.session_leader.macho.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.session_leader.macho.go_stripped: + dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.session_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.parent.session_leader.macho.import_hash: + dashed_name: process-entry-leader-parent-session-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.session_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.entry_leader.parent.session_leader.macho.imports: + dashed_name: process-entry-leader-parent-session-leader-macho-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.session_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.entry_leader.parent.session_leader.macho.imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.parent.session_leader.macho.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.parent.session_leader.macho.sections: + dashed_name: process-entry-leader-parent-session-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.entry_leader.parent.session_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.entry_leader.parent.session_leader.macho.sections.entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.session_leader.macho.sections.name: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.entry_leader.parent.session_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.entry_leader.parent.session_leader.macho.sections.physical_size: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.entry_leader.parent.session_leader.macho.sections.var_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.session_leader.macho.sections.virtual_size: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.entry_leader.parent.session_leader.macho.symhash: + dashed_name: process-entry-leader-parent-session-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.entry_leader.parent.session_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.entry_leader.parent.session_leader.name: + dashed_name: process-entry-leader-parent-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.entry_leader.parent.session_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.entry_leader.parent.session_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.entry_leader.parent.session_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.entry_leader.parent.session_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.entry_leader.parent.session_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.entry_leader.parent.session_leader.pe.architecture: + dashed_name: process-entry-leader-parent-session-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.entry_leader.parent.session_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.entry_leader.parent.session_leader.pe.company: + dashed_name: process-entry-leader-parent-session-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.entry_leader.parent.session_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.session_leader.pe.description: + dashed_name: process-entry-leader-parent-session-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.entry_leader.parent.session_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.session_leader.pe.file_version: + dashed_name: process-entry-leader-parent-session-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.entry_leader.parent.session_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.entry_leader.parent.session_leader.pe.go_import_hash: + dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.entry_leader.parent.session_leader.pe.go_imports: + dashed_name: process-entry-leader-parent-session-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.session_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.parent.session_leader.pe.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.parent.session_leader.pe.go_stripped: + dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.session_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.parent.session_leader.pe.imphash: + dashed_name: process-entry-leader-parent-session-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.entry_leader.parent.session_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.entry_leader.parent.session_leader.pe.import_hash: + dashed_name: process-entry-leader-parent-session-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.session_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.entry_leader.parent.session_leader.pe.imports: + dashed_name: process-entry-leader-parent-session-leader-pe-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.session_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.entry_leader.parent.session_leader.pe.imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.parent.session_leader.pe.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.parent.session_leader.pe.original_file_name: + dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.entry_leader.parent.session_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.session_leader.pe.pehash: + dashed_name: process-entry-leader-parent-session-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.entry_leader.parent.session_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.entry_leader.parent.session_leader.pe.product: + dashed_name: process-entry-leader-parent-session-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.entry_leader.parent.session_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.entry_leader.parent.session_leader.pe.sections: + dashed_name: process-entry-leader-parent-session-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.entry_leader.parent.session_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.entry_leader.parent.session_leader.pe.sections.entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.session_leader.pe.sections.name: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-name + description: PE Section List name. + flat_name: process.entry_leader.parent.session_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.entry_leader.parent.session_leader.pe.sections.physical_size: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.entry_leader.parent.session_leader.pe.sections.var_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.parent.session_leader.pe.sections.virtual_size: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.entry_leader.parent.session_leader.pid: + dashed_name: process-entry-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.session_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.entry_leader.parent.session_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.entry_leader.parent.session_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.entry_leader.parent.session_leader.real_group.domain: + dashed_name: process-entry-leader-parent-session-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.real_group.id: + dashed_name: process-entry-leader-parent-session-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.real_group.name: + dashed_name: process-entry-leader-parent-session-leader-real-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.real_user.domain: + dashed_name: process-entry-leader-parent-session-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.session_leader.real_user.email: + dashed_name: process-entry-leader-parent-session-leader-real-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.session_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.session_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.session_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.session_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.session_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.session_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.session_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.session_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.session_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.session_leader.real_user.full_name: + dashed_name: process-entry-leader-parent-session-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.session_leader.real_user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.real_user.group.id: + dashed_name: process-entry-leader-parent-session-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.real_user.group.name: + dashed_name: process-entry-leader-parent-session-leader-real-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.real_user.hash: + dashed_name: process-entry-leader-parent-session-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.session_leader.real_user.id: + dashed_name: process-entry-leader-parent-session-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.session_leader.real_user.name: + dashed_name: process-entry-leader-parent-session-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.session_leader.real_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.session_leader.real_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.session_leader.real_user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.session_leader.real_user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.session_leader.real_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.session_leader.real_user.roles: + dashed_name: process-entry-leader-parent-session-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.same_as_process: + dashed_name: process-entry-leader-parent-session-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.parent.session_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.entry_leader.parent.session_leader.saved_group.domain: + dashed_name: process-entry-leader-parent-session-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.saved_group.id: + dashed_name: process-entry-leader-parent-session-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.saved_group.name: + dashed_name: process-entry-leader-parent-session-leader-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.saved_user.domain: + dashed_name: process-entry-leader-parent-session-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.session_leader.saved_user.email: + dashed_name: process-entry-leader-parent-session-leader-saved-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.session_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.session_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.session_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.session_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.session_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.session_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.session_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.session_leader.saved_user.full_name: + dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.session_leader.saved_user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.saved_user.group.id: + dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.saved_user.group.name: + dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.saved_user.hash: + dashed_name: process-entry-leader-parent-session-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.session_leader.saved_user.id: + dashed_name: process-entry-leader-parent-session-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.session_leader.saved_user.name: + dashed_name: process-entry-leader-parent-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.session_leader.saved_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.session_leader.saved_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.session_leader.saved_user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.session_leader.saved_user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.session_leader.saved_user.roles: + dashed_name: process-entry-leader-parent-session-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.start: + dashed_name: process-entry-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.session_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.entry_leader.parent.session_leader.supplemental_groups.domain: + dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.supplemental_groups.id: + dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.supplemental_groups.name: + dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.thread.capabilities.effective: + dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.thread.capabilities.permitted: + dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.thread.id: + dashed_name: process-entry-leader-parent-session-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.entry_leader.parent.session_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.entry_leader.parent.session_leader.thread.name: + dashed_name: process-entry-leader-parent-session-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.entry_leader.parent.session_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.entry_leader.parent.session_leader.title: + dashed_name: process-entry-leader-parent-session-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.entry_leader.parent.session_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.entry_leader.parent.session_leader.tty: + dashed_name: process-entry-leader-parent-session-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.entry_leader.parent.session_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.entry_leader.parent.session_leader.tty.char_device.major: + dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.parent.session_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.entry_leader.parent.session_leader.tty.char_device.minor: + dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.entry_leader.parent.session_leader.tty.columns: + dashed_name: process-entry-leader-parent-session-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.entry_leader.parent.session_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.entry_leader.parent.session_leader.tty.rows: + dashed_name: process-entry-leader-parent-session-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.entry_leader.parent.session_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.entry_leader.parent.session_leader.uptime: + dashed_name: process-entry-leader-parent-session-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.entry_leader.parent.session_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.entry_leader.parent.session_leader.user.domain: + dashed_name: process-entry-leader-parent-session-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.session_leader.user.email: + dashed_name: process-entry-leader-parent-session-leader-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.session_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.session_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.session_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.session_leader.user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.session_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.session_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.session_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.session_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.session_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.session_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.session_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.session_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.session_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.session_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.session_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.session_leader.user.full_name: + dashed_name: process-entry-leader-parent-session-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.session_leader.user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.session_leader.user.group.id: + dashed_name: process-entry-leader-parent-session-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.session_leader.user.group.name: + dashed_name: process-entry-leader-parent-session-leader-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.session_leader.user.hash: + dashed_name: process-entry-leader-parent-session-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.session_leader.user.id: + dashed_name: process-entry-leader-parent-session-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.session_leader.user.name: + dashed_name: process-entry-leader-parent-session-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.session_leader.user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.session_leader.user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.session_leader.user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.session_leader.user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.session_leader.user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.session_leader.user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.session_leader.user.roles: + dashed_name: process-entry-leader-parent-session-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.session_leader.vpid: + dashed_name: process-entry-leader-parent-session-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.entry_leader.parent.session_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.entry_leader.parent.session_leader.working_directory: + dashed_name: process-entry-leader-parent-session-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.parent.session_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.entry_leader.parent.start: + dashed_name: process-entry-leader-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.entry_leader.parent.supplemental_groups.domain: + dashed_name: process-entry-leader-parent-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.supplemental_groups.id: + dashed_name: process-entry-leader-parent-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.supplemental_groups.name: + dashed_name: process-entry-leader-parent-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.thread.capabilities.effective: + dashed_name: process-entry-leader-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.thread.capabilities.permitted: + dashed_name: process-entry-leader-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.thread.id: + dashed_name: process-entry-leader-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.entry_leader.parent.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.entry_leader.parent.thread.name: + dashed_name: process-entry-leader-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.entry_leader.parent.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.entry_leader.parent.title: + dashed_name: process-entry-leader-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.entry_leader.parent.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.entry_leader.parent.tty: + dashed_name: process-entry-leader-parent-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.entry_leader.parent.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.entry_leader.parent.tty.char_device.major: + dashed_name: process-entry-leader-parent-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.parent.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.entry_leader.parent.tty.char_device.minor: + dashed_name: process-entry-leader-parent-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.parent.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.entry_leader.parent.tty.columns: + dashed_name: process-entry-leader-parent-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.entry_leader.parent.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.entry_leader.parent.tty.rows: + dashed_name: process-entry-leader-parent-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.entry_leader.parent.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.entry_leader.parent.uptime: + dashed_name: process-entry-leader-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.entry_leader.parent.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.entry_leader.parent.user.domain: + dashed_name: process-entry-leader-parent-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.parent.user.email: + dashed_name: process-entry-leader-parent-user-email + description: User email address. + flat_name: process.entry_leader.parent.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.parent.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.parent.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.parent.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.parent.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.parent.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.parent.user.entity.id: + dashed_name: process-entry-leader-parent-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.parent.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.parent.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.parent.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.parent.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.parent.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.parent.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.parent.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.parent.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.parent.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.parent.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.parent.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.parent.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.parent.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.parent.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.parent.user.full_name: + dashed_name: process-entry-leader-parent-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.parent.user.group.domain: + dashed_name: process-entry-leader-parent-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.parent.user.group.id: + dashed_name: process-entry-leader-parent-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.parent.user.group.name: + dashed_name: process-entry-leader-parent-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.parent.user.hash: + dashed_name: process-entry-leader-parent-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.parent.user.id: + dashed_name: process-entry-leader-parent-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.parent.user.name: + dashed_name: process-entry-leader-parent-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.parent.user.risk.calculated_level: + dashed_name: process-entry-leader-parent-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.parent.user.risk.calculated_score: + dashed_name: process-entry-leader-parent-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.parent.user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.parent.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.parent.user.risk.static_level: + dashed_name: process-entry-leader-parent-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.parent.user.risk.static_score: + dashed_name: process-entry-leader-parent-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.parent.user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.parent.user.roles: + dashed_name: process-entry-leader-parent-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.parent.vpid: + dashed_name: process-entry-leader-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.entry_leader.parent.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.entry_leader.parent.working_directory: + dashed_name: process-entry-leader-parent-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.parent.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.entry_leader.pe.architecture: + dashed_name: process-entry-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.entry_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.entry_leader.pe.company: + dashed_name: process-entry-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.entry_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.entry_leader.pe.description: + dashed_name: process-entry-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.entry_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.entry_leader.pe.file_version: + dashed_name: process-entry-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.entry_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.entry_leader.pe.go_import_hash: + dashed_name: process-entry-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.entry_leader.pe.go_imports: + dashed_name: process-entry-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.entry_leader.pe.go_imports_names_entropy: + dashed_name: process-entry-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.pe.go_imports_names_var_entropy: + dashed_name: process-entry-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.entry_leader.pe.go_stripped: + dashed_name: process-entry-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.entry_leader.pe.imphash: + dashed_name: process-entry-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.entry_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.entry_leader.pe.import_hash: + dashed_name: process-entry-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.entry_leader.pe.imports: + dashed_name: process-entry-leader-pe-imports + description: List of imported element names and types. + flat_name: process.entry_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.entry_leader.pe.imports_names_entropy: + dashed_name: process-entry-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.entry_leader.pe.imports_names_var_entropy: + dashed_name: process-entry-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.entry_leader.pe.original_file_name: + dashed_name: process-entry-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.entry_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.entry_leader.pe.pehash: + dashed_name: process-entry-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.entry_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.entry_leader.pe.product: + dashed_name: process-entry-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.entry_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.entry_leader.pe.sections: + dashed_name: process-entry-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.entry_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.entry_leader.pe.sections.entropy: + dashed_name: process-entry-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.entry_leader.pe.sections.name: + dashed_name: process-entry-leader-pe-sections-name + description: PE Section List name. + flat_name: process.entry_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.entry_leader.pe.sections.physical_size: + dashed_name: process-entry-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.entry_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.entry_leader.pe.sections.var_entropy: + dashed_name: process-entry-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.entry_leader.pe.sections.virtual_size: + dashed_name: process-entry-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.entry_leader.pid: + dashed_name: process-entry-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.entry_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.entry_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.entry_leader.real_group.domain: + dashed_name: process-entry-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.real_group.id: + dashed_name: process-entry-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.real_group.name: + dashed_name: process-entry-leader-real-group-name + description: Name of the group. + flat_name: process.entry_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.real_user.domain: + dashed_name: process-entry-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.real_user.email: + dashed_name: process-entry-leader-real-user-email + description: User email address. + flat_name: process.entry_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.real_user.entity.id: + dashed_name: process-entry-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.real_user.full_name: + dashed_name: process-entry-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.real_user.group.domain: + dashed_name: process-entry-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.real_user.group.id: + dashed_name: process-entry-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.real_user.group.name: + dashed_name: process-entry-leader-real-user-group-name + description: Name of the group. + flat_name: process.entry_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.real_user.hash: + dashed_name: process-entry-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.real_user.id: + dashed_name: process-entry-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.real_user.name: + dashed_name: process-entry-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.real_user.risk.calculated_level: + dashed_name: process-entry-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.real_user.risk.calculated_score: + dashed_name: process-entry-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.real_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.real_user.risk.static_level: + dashed_name: process-entry-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.real_user.risk.static_score: + dashed_name: process-entry-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.real_user.risk.static_score_norm: + dashed_name: process-entry-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.real_user.roles: + dashed_name: process-entry-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.same_as_process: + dashed_name: process-entry-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.entry_leader.saved_group.domain: + dashed_name: process-entry-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.saved_group.id: + dashed_name: process-entry-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.saved_group.name: + dashed_name: process-entry-leader-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.saved_user.domain: + dashed_name: process-entry-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.saved_user.email: + dashed_name: process-entry-leader-saved-user-email + description: User email address. + flat_name: process.entry_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.saved_user.entity.id: + dashed_name: process-entry-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.saved_user.full_name: + dashed_name: process-entry-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.saved_user.group.domain: + dashed_name: process-entry-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.saved_user.group.id: + dashed_name: process-entry-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.saved_user.group.name: + dashed_name: process-entry-leader-saved-user-group-name + description: Name of the group. + flat_name: process.entry_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.saved_user.hash: + dashed_name: process-entry-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.saved_user.id: + dashed_name: process-entry-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.saved_user.name: + dashed_name: process-entry-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.saved_user.risk.calculated_level: + dashed_name: process-entry-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.saved_user.risk.calculated_score: + dashed_name: process-entry-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.saved_user.risk.static_level: + dashed_name: process-entry-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.saved_user.risk.static_score: + dashed_name: process-entry-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.saved_user.risk.static_score_norm: + dashed_name: process-entry-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.saved_user.roles: + dashed_name: process-entry-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.start: + dashed_name: process-entry-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.entry_leader.supplemental_groups.domain: + dashed_name: process-entry-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.supplemental_groups.id: + dashed_name: process-entry-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.supplemental_groups.name: + dashed_name: process-entry-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.thread.capabilities.effective: + dashed_name: process-entry-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.entry_leader.thread.capabilities.permitted: + dashed_name: process-entry-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.entry_leader.thread.id: + dashed_name: process-entry-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.entry_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.entry_leader.thread.name: + dashed_name: process-entry-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.entry_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.entry_leader.title: + dashed_name: process-entry-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.entry_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.entry_leader.tty: + dashed_name: process-entry-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.entry_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.entry_leader.tty.char_device.major: + dashed_name: process-entry-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.entry_leader.tty.char_device.minor: + dashed_name: process-entry-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.entry_leader.tty.columns: + dashed_name: process-entry-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.entry_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.entry_leader.tty.rows: + dashed_name: process-entry-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.entry_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.entry_leader.uptime: + dashed_name: process-entry-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.entry_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.entry_leader.user.domain: + dashed_name: process-entry-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.entry_leader.user.email: + dashed_name: process-entry-leader-user-email + description: User email address. + flat_name: process.entry_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.entry_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.entry_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.entry_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.entry_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.entry_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.entry_leader.user.entity.id: + dashed_name: process-entry-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.entry_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.entry_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.entry_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.entry_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.entry_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.entry_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.entry_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.entry_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.entry_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.entry_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.entry_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.entry_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.entry_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.entry_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.entry_leader.user.full_name: + dashed_name: process-entry-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.entry_leader.user.group.domain: + dashed_name: process-entry-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.entry_leader.user.group.id: + dashed_name: process-entry-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.user.group.name: + dashed_name: process-entry-leader-user-group-name + description: Name of the group. + flat_name: process.entry_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.user.hash: + dashed_name: process-entry-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.entry_leader.user.id: + dashed_name: process-entry-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.user.name: + dashed_name: process-entry-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.user.risk.calculated_level: + dashed_name: process-entry-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.entry_leader.user.risk.calculated_score: + dashed_name: process-entry-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.entry_leader.user.risk.calculated_score_norm: + dashed_name: process-entry-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.entry_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.entry_leader.user.risk.static_level: + dashed_name: process-entry-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.entry_leader.user.risk.static_score: + dashed_name: process-entry-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.entry_leader.user.risk.static_score_norm: + dashed_name: process-entry-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.entry_leader.user.roles: + dashed_name: process-entry-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.entry_leader.vpid: + dashed_name: process-entry-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.entry_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.entry_leader.working_directory: + dashed_name: process-entry-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.entry_meta.source.address: + dashed_name: process-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.entry_meta.source.as.number: + dashed_name: process-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.entry_meta.source.as.organization.name: + dashed_name: process-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.entry_meta.source.bytes: + dashed_name: process-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.entry_meta.source.domain: + dashed_name: process-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.entry_meta.source.geo.city_name: + dashed_name: process-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.entry_meta.source.geo.continent_code: + dashed_name: process-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.entry_meta.source.geo.continent_name: + dashed_name: process-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.entry_meta.source.geo.country_name: + dashed_name: process-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.entry_meta.source.geo.location: + dashed_name: process-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.entry_meta.source.geo.name: + dashed_name: process-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.entry_meta.source.geo.postal_code: + dashed_name: process-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.entry_meta.source.geo.region_name: + dashed_name: process-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.entry_meta.source.geo.timezone: + dashed_name: process-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.entry_meta.source.ip: + dashed_name: process-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.entry_meta.source.mac: + dashed_name: process-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.entry_meta.source.nat.ip: + dashed_name: process-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.entry_meta.source.nat.port: + dashed_name: process-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.entry_meta.source.packets: + dashed_name: process-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.entry_meta.source.port: + dashed_name: process-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.entry_meta.source.registered_domain: + dashed_name: process-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.entry_meta.source.subdomain: + dashed_name: process-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.entry_meta.source.top_level_domain: + dashed_name: process-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.entry_meta.type: + dashed_name: process-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + short: The entry type for the entry session leader. + type: keyword +process.env_vars: + dashed_name: process-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.executable: + dashed_name: process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + otel: + - attribute: process.executable.path + relation: equivalent + short: Absolute path to the process executable. + type: keyword +process.exit_code: + dashed_name: process-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.exit_code + level: extended + name: exit_code + normalize: [] + short: The exit code of the process. + type: long +process.group.domain: + dashed_name: process-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group.id: + dashed_name: process-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group.name: + dashed_name: process-group-name + description: Name of the group. + flat_name: process.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.args: + dashed_name: process-group-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.group_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.group_leader.args_count: + dashed_name: process-group-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.group_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.group_leader.attested_groups.domain: + dashed_name: process-group-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.attested_groups.id: + dashed_name: process-group-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.attested_groups.name: + dashed_name: process-group-leader-attested-groups-name + description: Name of the group. + flat_name: process.group_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.attested_user.domain: + dashed_name: process-group-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.group_leader.attested_user.email: + dashed_name: process-group-leader-attested-user-email + description: User email address. + flat_name: process.group_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.group_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.group_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.group_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.group_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.group_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.group_leader.attested_user.entity.id: + dashed_name: process-group-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.group_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.group_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.group_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.group_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.group_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.group_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.group_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.group_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.group_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.group_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.group_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.group_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.group_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.group_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.group_leader.attested_user.full_name: + dashed_name: process-group-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.group_leader.attested_user.group.domain: + dashed_name: process-group-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.attested_user.group.id: + dashed_name: process-group-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.attested_user.group.name: + dashed_name: process-group-leader-attested-user-group-name + description: Name of the group. + flat_name: process.group_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.attested_user.hash: + dashed_name: process-group-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.group_leader.attested_user.id: + dashed_name: process-group-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.group_leader.attested_user.name: + dashed_name: process-group-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.group_leader.attested_user.risk.calculated_level: + dashed_name: process-group-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.group_leader.attested_user.risk.calculated_score: + dashed_name: process-group-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.group_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-group-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.group_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.group_leader.attested_user.risk.static_level: + dashed_name: process-group-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.group_leader.attested_user.risk.static_score: + dashed_name: process-group-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.group_leader.attested_user.risk.static_score_norm: + dashed_name: process-group-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.group_leader.attested_user.roles: + dashed_name: process-group-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.group_leader.code_signature.digest_algorithm: + dashed_name: process-group-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.group_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.group_leader.code_signature.exists: + dashed_name: process-group-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.group_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.group_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.group_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.group_leader.code_signature.signing_id: + dashed_name: process-group-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.group_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.group_leader.code_signature.status: + dashed_name: process-group-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.group_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.group_leader.code_signature.subject_name: + dashed_name: process-group-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.group_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.group_leader.code_signature.team_id: + dashed_name: process-group-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.group_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.group_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.group_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.group_leader.code_signature.timestamp: + dashed_name: process-group-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.group_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.group_leader.code_signature.trusted: + dashed_name: process-group-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.group_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.group_leader.code_signature.valid: + dashed_name: process-group-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.group_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.group_leader.command_line: + dashed_name: process-group-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.group_leader.command_line + level: extended + multi_fields: + - flat_name: process.group_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.group_leader.elf.architecture: + dashed_name: process-group-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.group_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.group_leader.elf.byte_order: + dashed_name: process-group-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.group_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.group_leader.elf.cpu_type: + dashed_name: process-group-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.group_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.group_leader.elf.creation_date: + dashed_name: process-group-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.group_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.group_leader.elf.exports: + dashed_name: process-group-leader-elf-exports + description: List of exported element names and types. + flat_name: process.group_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.group_leader.elf.go_import_hash: + dashed_name: process-group-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.group_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.group_leader.elf.go_imports: + dashed_name: process-group-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.group_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.group_leader.elf.go_imports_names_entropy: + dashed_name: process-group-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.group_leader.elf.go_imports_names_var_entropy: + dashed_name: process-group-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.group_leader.elf.go_stripped: + dashed_name: process-group-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.group_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.group_leader.elf.header.abi_version: + dashed_name: process-group-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.group_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.group_leader.elf.header.class: + dashed_name: process-group-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.group_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.group_leader.elf.header.data: + dashed_name: process-group-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.group_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.group_leader.elf.header.entrypoint: + dashed_name: process-group-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.group_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.group_leader.elf.header.object_version: + dashed_name: process-group-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.group_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.group_leader.elf.header.os_abi: + dashed_name: process-group-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.group_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.group_leader.elf.header.type: + dashed_name: process-group-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.group_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.group_leader.elf.header.version: + dashed_name: process-group-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.group_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.group_leader.elf.import_hash: + dashed_name: process-group-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.group_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.group_leader.elf.imports: + dashed_name: process-group-leader-elf-imports + description: List of imported element names and types. + flat_name: process.group_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.group_leader.elf.imports_names_entropy: + dashed_name: process-group-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.group_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.group_leader.elf.imports_names_var_entropy: + dashed_name: process-group-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.group_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.group_leader.elf.sections: + dashed_name: process-group-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.group_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.group_leader.elf.sections.chi2: + dashed_name: process-group-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.group_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.group_leader.elf.sections.entropy: + dashed_name: process-group-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.group_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.group_leader.elf.sections.flags: + dashed_name: process-group-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.group_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.group_leader.elf.sections.name: + dashed_name: process-group-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.group_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.group_leader.elf.sections.physical_offset: + dashed_name: process-group-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.group_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.group_leader.elf.sections.physical_size: + dashed_name: process-group-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.group_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.group_leader.elf.sections.type: + dashed_name: process-group-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.group_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.group_leader.elf.sections.var_entropy: + dashed_name: process-group-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.group_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.group_leader.elf.sections.virtual_address: + dashed_name: process-group-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.group_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.group_leader.elf.sections.virtual_size: + dashed_name: process-group-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.group_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.group_leader.elf.segments: + dashed_name: process-group-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.group_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.group_leader.elf.segments.sections: + dashed_name: process-group-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.group_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.group_leader.elf.segments.type: + dashed_name: process-group-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.group_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.group_leader.elf.shared_libraries: + dashed_name: process-group-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.group_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.group_leader.elf.telfhash: + dashed_name: process-group-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.group_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.group_leader.end: + dashed_name: process-group-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.group_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.group_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.group_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.group_leader.entity_id: + dashed_name: process-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.group_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.group_leader.entry_meta.source.address: + dashed_name: process-group-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.group_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.group_leader.entry_meta.source.as.number: + dashed_name: process-group-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.group_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.group_leader.entry_meta.source.as.organization.name: + dashed_name: process-group-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.group_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.group_leader.entry_meta.source.bytes: + dashed_name: process-group-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.group_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.group_leader.entry_meta.source.domain: + dashed_name: process-group-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.group_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.group_leader.entry_meta.source.geo.city_name: + dashed_name: process-group-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.group_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.group_leader.entry_meta.source.geo.continent_code: + dashed_name: process-group-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.group_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.group_leader.entry_meta.source.geo.continent_name: + dashed_name: process-group-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.group_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.group_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.group_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.group_leader.entry_meta.source.geo.country_name: + dashed_name: process-group-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.group_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.group_leader.entry_meta.source.geo.location: + dashed_name: process-group-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.group_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.group_leader.entry_meta.source.geo.name: + dashed_name: process-group-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.group_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.group_leader.entry_meta.source.geo.postal_code: + dashed_name: process-group-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.group_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.group_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.group_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.group_leader.entry_meta.source.geo.region_name: + dashed_name: process-group-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.group_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.group_leader.entry_meta.source.geo.timezone: + dashed_name: process-group-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.group_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.group_leader.entry_meta.source.ip: + dashed_name: process-group-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.group_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.group_leader.entry_meta.source.mac: + dashed_name: process-group-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.group_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.group_leader.entry_meta.source.nat.ip: + dashed_name: process-group-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.group_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.group_leader.entry_meta.source.nat.port: + dashed_name: process-group-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.group_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.group_leader.entry_meta.source.packets: + dashed_name: process-group-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.group_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.group_leader.entry_meta.source.port: + dashed_name: process-group-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.group_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.group_leader.entry_meta.source.registered_domain: + dashed_name: process-group-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.group_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.group_leader.entry_meta.source.subdomain: + dashed_name: process-group-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.group_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.group_leader.entry_meta.source.top_level_domain: + dashed_name: process-group-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.group_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.group_leader.entry_meta.type: + dashed_name: process-group-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.group_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.group_leader.env_vars: + dashed_name: process-group-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.group_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.group_leader.executable: + dashed_name: process-group-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.group_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.group_leader.exit_code: + dashed_name: process-group-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.group_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.group_leader.group.domain: + dashed_name: process-group-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.group.id: + dashed_name: process-group-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.group.name: + dashed_name: process-group-leader-group-name + description: Name of the group. + flat_name: process.group_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.group_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.group_leader.hash.md5: + dashed_name: process-group-leader-hash-md5 + description: MD5 hash. + flat_name: process.group_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.group_leader.hash.sha1: + dashed_name: process-group-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.group_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.group_leader.hash.sha256: + dashed_name: process-group-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.group_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.group_leader.hash.sha384: + dashed_name: process-group-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.group_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.group_leader.hash.sha512: + dashed_name: process-group-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.group_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.group_leader.hash.ssdeep: + dashed_name: process-group-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.group_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.group_leader.hash.tlsh: + dashed_name: process-group-leader-hash-tlsh + description: TLSH hash. + flat_name: process.group_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.group_leader.interactive: + dashed_name: process-group-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.group_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.group_leader.io: + dashed_name: process-group-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.group_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.group_leader.io.bytes_skipped: + dashed_name: process-group-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.group_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.group_leader.io.bytes_skipped.length: + dashed_name: process-group-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.group_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.group_leader.io.bytes_skipped.offset: + dashed_name: process-group-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.group_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.group_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-group-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.group_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.group_leader.io.text: + dashed_name: process-group-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.group_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.group_leader.io.total_bytes_captured: + dashed_name: process-group-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.group_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.group_leader.io.total_bytes_skipped: + dashed_name: process-group-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.group_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.group_leader.io.type: + dashed_name: process-group-leader-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.group_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.group_leader.macho.go_import_hash: + dashed_name: process-group-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.group_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.group_leader.macho.go_imports: + dashed_name: process-group-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.group_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.group_leader.macho.go_imports_names_entropy: + dashed_name: process-group-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.group_leader.macho.go_imports_names_var_entropy: + dashed_name: process-group-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.group_leader.macho.go_stripped: + dashed_name: process-group-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.group_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.group_leader.macho.import_hash: + dashed_name: process-group-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.group_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.group_leader.macho.imports: + dashed_name: process-group-leader-macho-imports + description: List of imported element names and types. + flat_name: process.group_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.group_leader.macho.imports_names_entropy: + dashed_name: process-group-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.group_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.group_leader.macho.imports_names_var_entropy: + dashed_name: process-group-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.group_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.group_leader.macho.sections: + dashed_name: process-group-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.group_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.group_leader.macho.sections.entropy: + dashed_name: process-group-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.group_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.group_leader.macho.sections.name: + dashed_name: process-group-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.group_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.group_leader.macho.sections.physical_size: + dashed_name: process-group-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.group_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.group_leader.macho.sections.var_entropy: + dashed_name: process-group-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.group_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.group_leader.macho.sections.virtual_size: + dashed_name: process-group-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.group_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.group_leader.macho.symhash: + dashed_name: process-group-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.group_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.group_leader.name: + dashed_name: process-group-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.group_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.group_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.group_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.group_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.group_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.group_leader.pe.architecture: + dashed_name: process-group-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.group_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.group_leader.pe.company: + dashed_name: process-group-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.group_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.group_leader.pe.description: + dashed_name: process-group-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.group_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.group_leader.pe.file_version: + dashed_name: process-group-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.group_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.group_leader.pe.go_import_hash: + dashed_name: process-group-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.group_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.group_leader.pe.go_imports: + dashed_name: process-group-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.group_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.group_leader.pe.go_imports_names_entropy: + dashed_name: process-group-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.group_leader.pe.go_imports_names_var_entropy: + dashed_name: process-group-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.group_leader.pe.go_stripped: + dashed_name: process-group-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.group_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.group_leader.pe.imphash: + dashed_name: process-group-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.group_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.group_leader.pe.import_hash: + dashed_name: process-group-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.group_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.group_leader.pe.imports: + dashed_name: process-group-leader-pe-imports + description: List of imported element names and types. + flat_name: process.group_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.group_leader.pe.imports_names_entropy: + dashed_name: process-group-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.group_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.group_leader.pe.imports_names_var_entropy: + dashed_name: process-group-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.group_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.group_leader.pe.original_file_name: + dashed_name: process-group-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.group_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.group_leader.pe.pehash: + dashed_name: process-group-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.group_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.group_leader.pe.product: + dashed_name: process-group-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.group_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.group_leader.pe.sections: + dashed_name: process-group-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.group_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.group_leader.pe.sections.entropy: + dashed_name: process-group-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.group_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.group_leader.pe.sections.name: + dashed_name: process-group-leader-pe-sections-name + description: PE Section List name. + flat_name: process.group_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.group_leader.pe.sections.physical_size: + dashed_name: process-group-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.group_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.group_leader.pe.sections.var_entropy: + dashed_name: process-group-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.group_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.group_leader.pe.sections.virtual_size: + dashed_name: process-group-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.group_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.group_leader.pid: + dashed_name: process-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.group_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + otel: + - relation: match + short: Process id. + type: long +process.group_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.group_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.group_leader.real_group.domain: + dashed_name: process-group-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.real_group.id: + dashed_name: process-group-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.real_group.name: + dashed_name: process-group-leader-real-group-name + description: Name of the group. + flat_name: process.group_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.real_user.domain: + dashed_name: process-group-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.group_leader.real_user.email: + dashed_name: process-group-leader-real-user-email + description: User email address. + flat_name: process.group_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.group_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.group_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.group_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.group_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.group_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.group_leader.real_user.entity.id: + dashed_name: process-group-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.group_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.group_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.group_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.group_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.group_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.group_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.group_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.group_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.group_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.group_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.group_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.group_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.group_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.group_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.group_leader.real_user.full_name: + dashed_name: process-group-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.group_leader.real_user.group.domain: + dashed_name: process-group-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.real_user.group.id: + dashed_name: process-group-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.real_user.group.name: + dashed_name: process-group-leader-real-user-group-name + description: Name of the group. + flat_name: process.group_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.real_user.hash: + dashed_name: process-group-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.group_leader.real_user.id: + dashed_name: process-group-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.group_leader.real_user.name: + dashed_name: process-group-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.group_leader.real_user.risk.calculated_level: + dashed_name: process-group-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.group_leader.real_user.risk.calculated_score: + dashed_name: process-group-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.group_leader.real_user.risk.calculated_score_norm: + dashed_name: process-group-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.group_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.group_leader.real_user.risk.static_level: + dashed_name: process-group-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.group_leader.real_user.risk.static_score: + dashed_name: process-group-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.group_leader.real_user.risk.static_score_norm: + dashed_name: process-group-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.group_leader.real_user.roles: + dashed_name: process-group-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.group_leader.same_as_process: + dashed_name: process-group-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.group_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.group_leader.saved_group.domain: + dashed_name: process-group-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.saved_group.id: + dashed_name: process-group-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.saved_group.name: + dashed_name: process-group-leader-saved-group-name + description: Name of the group. + flat_name: process.group_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.saved_user.domain: + dashed_name: process-group-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.group_leader.saved_user.email: + dashed_name: process-group-leader-saved-user-email + description: User email address. + flat_name: process.group_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.group_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.group_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.group_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.group_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.group_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.group_leader.saved_user.entity.id: + dashed_name: process-group-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.group_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.group_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.group_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.group_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.group_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.group_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.group_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.group_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.group_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.group_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.group_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.group_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.group_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.group_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.group_leader.saved_user.full_name: + dashed_name: process-group-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.group_leader.saved_user.group.domain: + dashed_name: process-group-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.saved_user.group.id: + dashed_name: process-group-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.saved_user.group.name: + dashed_name: process-group-leader-saved-user-group-name + description: Name of the group. + flat_name: process.group_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.saved_user.hash: + dashed_name: process-group-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.group_leader.saved_user.id: + dashed_name: process-group-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.group_leader.saved_user.name: + dashed_name: process-group-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.group_leader.saved_user.risk.calculated_level: + dashed_name: process-group-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.group_leader.saved_user.risk.calculated_score: + dashed_name: process-group-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.group_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-group-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.group_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.group_leader.saved_user.risk.static_level: + dashed_name: process-group-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.group_leader.saved_user.risk.static_score: + dashed_name: process-group-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.group_leader.saved_user.risk.static_score_norm: + dashed_name: process-group-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.group_leader.saved_user.roles: + dashed_name: process-group-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.group_leader.start: + dashed_name: process-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.group_leader.supplemental_groups.domain: + dashed_name: process-group-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.supplemental_groups.id: + dashed_name: process-group-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.supplemental_groups.name: + dashed_name: process-group-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.group_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.thread.capabilities.effective: + dashed_name: process-group-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.group_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.group_leader.thread.capabilities.permitted: + dashed_name: process-group-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.group_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.group_leader.thread.id: + dashed_name: process-group-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.group_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.group_leader.thread.name: + dashed_name: process-group-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.group_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.group_leader.title: + dashed_name: process-group-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.group_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.group_leader.tty: + dashed_name: process-group-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.group_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.group_leader.tty.char_device.major: + dashed_name: process-group-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.group_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.group_leader.tty.char_device.minor: + dashed_name: process-group-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.group_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.group_leader.tty.columns: + dashed_name: process-group-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.group_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.group_leader.tty.rows: + dashed_name: process-group-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.group_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.group_leader.uptime: + dashed_name: process-group-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.group_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.group_leader.user.domain: + dashed_name: process-group-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.group_leader.user.email: + dashed_name: process-group-leader-user-email + description: User email address. + flat_name: process.group_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.group_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.group_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.group_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.group_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.group_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.group_leader.user.entity.id: + dashed_name: process-group-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.group_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.group_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.group_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.group_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.group_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.group_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.group_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.group_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.group_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.group_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.group_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.group_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.group_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.group_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.group_leader.user.full_name: + dashed_name: process-group-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.group_leader.user.group.domain: + dashed_name: process-group-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.group_leader.user.group.id: + dashed_name: process-group-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.user.group.name: + dashed_name: process-group-leader-user-group-name + description: Name of the group. + flat_name: process.group_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.user.hash: + dashed_name: process-group-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.group_leader.user.id: + dashed_name: process-group-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.group_leader.user.name: + dashed_name: process-group-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.group_leader.user.risk.calculated_level: + dashed_name: process-group-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.group_leader.user.risk.calculated_score: + dashed_name: process-group-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.group_leader.user.risk.calculated_score_norm: + dashed_name: process-group-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.group_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.group_leader.user.risk.static_level: + dashed_name: process-group-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.group_leader.user.risk.static_score: + dashed_name: process-group-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.group_leader.user.risk.static_score_norm: + dashed_name: process-group-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.group_leader.user.roles: + dashed_name: process-group-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.group_leader.vpid: + dashed_name: process-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.group_leader.working_directory: + dashed_name: process-group-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.group_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.hash.md5: + dashed_name: process-hash-md5 + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.hash.sha1: + dashed_name: process-hash-sha1 + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.hash.sha256: + dashed_name: process-hash-sha256 + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.hash.sha384: + dashed_name: process-hash-sha384 + description: SHA384 hash. + flat_name: process.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.hash.sha512: + dashed_name: process-hash-sha512 + description: SHA512 hash. + flat_name: process.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.hash.tlsh: + dashed_name: process-hash-tlsh + description: TLSH hash. + flat_name: process.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.interactive: + dashed_name: process-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.interactive + level: extended + name: interactive + normalize: [] + otel: + - relation: match + short: Whether the process is connected to an interactive shell. + type: boolean +process.io: + dashed_name: process-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.io + level: extended + name: io + normalize: [] + short: A chunk of input or output (IO) from a single process. + type: object +process.io.bytes_skipped: + dashed_name: process-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.io.bytes_skipped.length: + dashed_name: process-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + short: The length of bytes skipped. + type: long +process.io.bytes_skipped.offset: + dashed_name: process-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.io.max_bytes_per_process_exceeded: + dashed_name: process-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.io.text: + dashed_name: process-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.io.text + level: extended + name: io.text + normalize: [] + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.io.total_bytes_captured: + dashed_name: process-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + short: The total number of bytes captured in this event. + type: long +process.io.total_bytes_skipped: + dashed_name: process-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.io.type: + dashed_name: process-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.macho.go_import_hash: + dashed_name: process-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.macho.go_imports: + dashed_name: process-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.macho.go_imports_names_entropy: + dashed_name: process-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.macho.go_imports_names_var_entropy: + dashed_name: process-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.macho.go_stripped: + dashed_name: process-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.macho.import_hash: + dashed_name: process-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.macho.imports: + dashed_name: process-macho-imports + description: List of imported element names and types. + flat_name: process.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.macho.imports_names_entropy: + dashed_name: process-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.macho.imports_names_var_entropy: + dashed_name: process-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.macho.sections: + dashed_name: process-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.macho.sections.entropy: + dashed_name: process-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.macho.sections.name: + dashed_name: process-macho-sections-name + description: Mach-O Section List name. + flat_name: process.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.macho.sections.physical_size: + dashed_name: process-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.macho.sections.var_entropy: + dashed_name: process-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.macho.sections.virtual_size: + dashed_name: process-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.macho.symhash: + dashed_name: process-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.name: + dashed_name: process-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.name.text + name: text + type: match_only_text + name: name + normalize: [] + short: Process name. + type: keyword +process.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the process's executable file is hosted. + type: keyword +process.parent.args: + dashed_name: process-parent-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.parent.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.parent.args_count: + dashed_name: process-parent-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.parent.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.parent.attested_groups.domain: + dashed_name: process-parent-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.attested_groups.id: + dashed_name: process-parent-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.attested_groups.name: + dashed_name: process-parent-attested-groups-name + description: Name of the group. + flat_name: process.parent.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.attested_user.domain: + dashed_name: process-parent-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.attested_user.email: + dashed_name: process-parent-attested-user-email + description: User email address. + flat_name: process.parent.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.attested_user.entity.id: + dashed_name: process-parent-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.attested_user.full_name: + dashed_name: process-parent-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.attested_user.group.domain: + dashed_name: process-parent-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.attested_user.group.id: + dashed_name: process-parent-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.attested_user.group.name: + dashed_name: process-parent-attested-user-group-name + description: Name of the group. + flat_name: process.parent.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.attested_user.hash: + dashed_name: process-parent-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.attested_user.id: + dashed_name: process-parent-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.attested_user.name: + dashed_name: process-parent-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.attested_user.risk.calculated_level: + dashed_name: process-parent-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.attested_user.risk.calculated_score: + dashed_name: process-parent-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.attested_user.risk.calculated_score_norm: + dashed_name: process-parent-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.attested_user.risk.static_level: + dashed_name: process-parent-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.attested_user.risk.static_score: + dashed_name: process-parent-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.attested_user.risk.static_score_norm: + dashed_name: process-parent-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.attested_user.roles: + dashed_name: process-parent-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.code_signature.digest_algorithm: + dashed_name: process-parent-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.parent.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.parent.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.parent.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.parent.code_signature.timestamp: + dashed_name: process-parent-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.parent.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.parent.command_line: + dashed_name: process-parent-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.parent.command_line + level: extended + multi_fields: + - flat_name: process.parent.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.parent.elf.exports: + dashed_name: process-parent-elf-exports + description: List of exported element names and types. + flat_name: process.parent.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.parent.elf.go_import_hash: + dashed_name: process-parent-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.parent.elf.go_imports: + dashed_name: process-parent-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.parent.elf.go_imports_names_entropy: + dashed_name: process-parent-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.parent.elf.go_imports_names_var_entropy: + dashed_name: process-parent-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.parent.elf.go_stripped: + dashed_name: process-parent-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.parent.elf.import_hash: + dashed_name: process-parent-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.parent.elf.imports: + dashed_name: process-parent-elf-imports + description: List of imported element names and types. + flat_name: process.parent.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.parent.elf.imports_names_entropy: + dashed_name: process-parent-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.elf.imports_names_var_entropy: + dashed_name: process-parent-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.elf.sections: + dashed_name: process-parent-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.parent.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.parent.elf.sections.var_entropy: + dashed_name: process-parent-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.parent.elf.segments: + dashed_name: process-parent-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.parent.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.parent.end: + dashed_name: process-parent-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.parent.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-parent-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.parent.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.parent.entity_id: + dashed_name: process-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.parent.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.parent.entry_meta.source.address: + dashed_name: process-parent-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.parent.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.parent.entry_meta.source.as.number: + dashed_name: process-parent-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.parent.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.parent.entry_meta.source.as.organization.name: + dashed_name: process-parent-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.parent.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.parent.entry_meta.source.bytes: + dashed_name: process-parent-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.parent.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.parent.entry_meta.source.domain: + dashed_name: process-parent-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.parent.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.parent.entry_meta.source.geo.city_name: + dashed_name: process-parent-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.parent.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.parent.entry_meta.source.geo.continent_code: + dashed_name: process-parent-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.parent.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.parent.entry_meta.source.geo.continent_name: + dashed_name: process-parent-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.parent.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.parent.entry_meta.source.geo.country_iso_code: + dashed_name: process-parent-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.parent.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.parent.entry_meta.source.geo.country_name: + dashed_name: process-parent-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.parent.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.parent.entry_meta.source.geo.location: + dashed_name: process-parent-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.parent.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.parent.entry_meta.source.geo.name: + dashed_name: process-parent-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.parent.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.parent.entry_meta.source.geo.postal_code: + dashed_name: process-parent-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.parent.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.parent.entry_meta.source.geo.region_iso_code: + dashed_name: process-parent-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.parent.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.parent.entry_meta.source.geo.region_name: + dashed_name: process-parent-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.parent.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.parent.entry_meta.source.geo.timezone: + dashed_name: process-parent-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.parent.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.parent.entry_meta.source.ip: + dashed_name: process-parent-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.parent.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.parent.entry_meta.source.mac: + dashed_name: process-parent-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.parent.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.parent.entry_meta.source.nat.ip: + dashed_name: process-parent-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.parent.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.parent.entry_meta.source.nat.port: + dashed_name: process-parent-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.parent.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.parent.entry_meta.source.packets: + dashed_name: process-parent-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.parent.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.parent.entry_meta.source.port: + dashed_name: process-parent-entry-meta-source-port + description: Port of the source. + flat_name: process.parent.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.parent.entry_meta.source.registered_domain: + dashed_name: process-parent-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.parent.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.parent.entry_meta.source.subdomain: + dashed_name: process-parent-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.parent.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.parent.entry_meta.source.top_level_domain: + dashed_name: process-parent-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.parent.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.parent.entry_meta.type: + dashed_name: process-parent-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.parent.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.parent.env_vars: + dashed_name: process-parent-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.parent.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.parent.executable: + dashed_name: process-parent-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.parent.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.parent.exit_code: + dashed_name: process-parent-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.parent.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.parent.group.domain: + dashed_name: process-parent-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group.id: + dashed_name: process-parent-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group.name: + dashed_name: process-parent-group-name + description: Name of the group. + flat_name: process.parent.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.args: + dashed_name: process-parent-group-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.parent.group_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.parent.group_leader.args_count: + dashed_name: process-parent-group-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.parent.group_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.parent.group_leader.attested_groups.domain: + dashed_name: process-parent-group-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.attested_groups.id: + dashed_name: process-parent-group-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.attested_groups.name: + dashed_name: process-parent-group-leader-attested-groups-name + description: Name of the group. + flat_name: process.parent.group_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.attested_user.domain: + dashed_name: process-parent-group-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.group_leader.attested_user.email: + dashed_name: process-parent-group-leader-attested-user-email + description: User email address. + flat_name: process.parent.group_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.group_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.group_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.group_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.group_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.group_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.group_leader.attested_user.entity.id: + dashed_name: process-parent-group-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.group_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.group_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.group_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.group_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.group_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.group_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.group_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.group_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.group_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.group_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.group_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.group_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.group_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.group_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.group_leader.attested_user.full_name: + dashed_name: process-parent-group-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.group_leader.attested_user.group.domain: + dashed_name: process-parent-group-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.attested_user.group.id: + dashed_name: process-parent-group-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.attested_user.group.name: + dashed_name: process-parent-group-leader-attested-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.attested_user.hash: + dashed_name: process-parent-group-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.group_leader.attested_user.id: + dashed_name: process-parent-group-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.group_leader.attested_user.name: + dashed_name: process-parent-group-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.group_leader.attested_user.risk.calculated_level: + dashed_name: process-parent-group-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.group_leader.attested_user.risk.calculated_score: + dashed_name: process-parent-group-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.group_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.group_leader.attested_user.risk.static_level: + dashed_name: process-parent-group-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.group_leader.attested_user.risk.static_score: + dashed_name: process-parent-group-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.group_leader.attested_user.risk.static_score_norm: + dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.group_leader.attested_user.roles: + dashed_name: process-parent-group-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.code_signature.digest_algorithm: + dashed_name: process-parent-group-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.parent.group_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.parent.group_leader.code_signature.exists: + dashed_name: process-parent-group-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.group_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.parent.group_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.group_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.parent.group_leader.code_signature.signing_id: + dashed_name: process-parent-group-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.group_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.parent.group_leader.code_signature.status: + dashed_name: process-parent-group-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.group_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.parent.group_leader.code_signature.subject_name: + dashed_name: process-parent-group-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.group_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.parent.group_leader.code_signature.team_id: + dashed_name: process-parent-group-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.group_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.parent.group_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.parent.group_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.parent.group_leader.code_signature.timestamp: + dashed_name: process-parent-group-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.parent.group_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.parent.group_leader.code_signature.trusted: + dashed_name: process-parent-group-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.group_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.parent.group_leader.code_signature.valid: + dashed_name: process-parent-group-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.group_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.parent.group_leader.command_line: + dashed_name: process-parent-group-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.parent.group_leader.command_line + level: extended + multi_fields: + - flat_name: process.parent.group_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.parent.group_leader.elf.architecture: + dashed_name: process-parent-group-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.group_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.parent.group_leader.elf.byte_order: + dashed_name: process-parent-group-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.parent.group_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.parent.group_leader.elf.cpu_type: + dashed_name: process-parent-group-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.group_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.parent.group_leader.elf.creation_date: + dashed_name: process-parent-group-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.group_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.parent.group_leader.elf.exports: + dashed_name: process-parent-group-leader-elf-exports + description: List of exported element names and types. + flat_name: process.parent.group_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.parent.group_leader.elf.go_import_hash: + dashed_name: process-parent-group-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.group_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.parent.group_leader.elf.go_imports: + dashed_name: process-parent-group-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.group_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.parent.group_leader.elf.go_imports_names_entropy: + dashed_name: process-parent-group-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.parent.group_leader.elf.go_imports_names_var_entropy: + dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.parent.group_leader.elf.go_stripped: + dashed_name: process-parent-group-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.group_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.group_leader.elf.header.abi_version: + dashed_name: process-parent-group-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.group_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.parent.group_leader.elf.header.class: + dashed_name: process-parent-group-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.group_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.parent.group_leader.elf.header.data: + dashed_name: process-parent-group-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.group_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.parent.group_leader.elf.header.entrypoint: + dashed_name: process-parent-group-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.group_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.parent.group_leader.elf.header.object_version: + dashed_name: process-parent-group-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.group_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.parent.group_leader.elf.header.os_abi: + dashed_name: process-parent-group-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.group_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.parent.group_leader.elf.header.type: + dashed_name: process-parent-group-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.group_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.parent.group_leader.elf.header.version: + dashed_name: process-parent-group-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.group_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.parent.group_leader.elf.import_hash: + dashed_name: process-parent-group-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.group_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.parent.group_leader.elf.imports: + dashed_name: process-parent-group-leader-elf-imports + description: List of imported element names and types. + flat_name: process.parent.group_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.parent.group_leader.elf.imports_names_entropy: + dashed_name: process-parent-group-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.group_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.group_leader.elf.imports_names_var_entropy: + dashed_name: process-parent-group-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.group_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.group_leader.elf.sections: + dashed_name: process-parent-group-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.parent.group_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.parent.group_leader.elf.sections.chi2: + dashed_name: process-parent-group-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.group_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.parent.group_leader.elf.sections.entropy: + dashed_name: process-parent-group-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.parent.group_leader.elf.sections.flags: + dashed_name: process-parent-group-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.group_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.parent.group_leader.elf.sections.name: + dashed_name: process-parent-group-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.group_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.parent.group_leader.elf.sections.physical_offset: + dashed_name: process-parent-group-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.group_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.parent.group_leader.elf.sections.physical_size: + dashed_name: process-parent-group-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.group_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.parent.group_leader.elf.sections.type: + dashed_name: process-parent-group-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.group_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.parent.group_leader.elf.sections.var_entropy: + dashed_name: process-parent-group-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.group_leader.elf.sections.virtual_address: + dashed_name: process-parent-group-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.group_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.parent.group_leader.elf.sections.virtual_size: + dashed_name: process-parent-group-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.group_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.parent.group_leader.elf.segments: + dashed_name: process-parent-group-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.parent.group_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.parent.group_leader.elf.segments.sections: + dashed_name: process-parent-group-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.group_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.parent.group_leader.elf.segments.type: + dashed_name: process-parent-group-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.group_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.parent.group_leader.elf.shared_libraries: + dashed_name: process-parent-group-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.parent.group_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.parent.group_leader.elf.telfhash: + dashed_name: process-parent-group-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.parent.group_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.parent.group_leader.end: + dashed_name: process-parent-group-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.group_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.parent.group_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.parent.group_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.parent.group_leader.entity_id: + dashed_name: process-parent-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.parent.group_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.parent.group_leader.entry_meta.source.address: + dashed_name: process-parent-group-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.parent.group_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.parent.group_leader.entry_meta.source.as.number: + dashed_name: process-parent-group-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.parent.group_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.parent.group_leader.entry_meta.source.as.organization.name: + dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.parent.group_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.parent.group_leader.entry_meta.source.bytes: + dashed_name: process-parent-group-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.parent.group_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.parent.group_leader.entry_meta.source.domain: + dashed_name: process-parent-group-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.parent.group_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.parent.group_leader.entry_meta.source.geo.city_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.parent.group_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.parent.group_leader.entry_meta.source.geo.continent_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.parent.group_leader.entry_meta.source.geo.continent_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.parent.group_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.parent.group_leader.entry_meta.source.geo.country_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.parent.group_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.parent.group_leader.entry_meta.source.geo.location: + dashed_name: process-parent-group-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.parent.group_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.parent.group_leader.entry_meta.source.geo.name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.parent.group_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.parent.group_leader.entry_meta.source.geo.postal_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.parent.group_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.parent.group_leader.entry_meta.source.geo.region_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.parent.group_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.parent.group_leader.entry_meta.source.geo.timezone: + dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.parent.group_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.parent.group_leader.entry_meta.source.ip: + dashed_name: process-parent-group-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.parent.group_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.parent.group_leader.entry_meta.source.mac: + dashed_name: process-parent-group-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.parent.group_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.parent.group_leader.entry_meta.source.nat.ip: + dashed_name: process-parent-group-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.parent.group_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.parent.group_leader.entry_meta.source.nat.port: + dashed_name: process-parent-group-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.parent.group_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.parent.group_leader.entry_meta.source.packets: + dashed_name: process-parent-group-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.parent.group_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.parent.group_leader.entry_meta.source.port: + dashed_name: process-parent-group-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.parent.group_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.parent.group_leader.entry_meta.source.registered_domain: + dashed_name: process-parent-group-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.parent.group_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.parent.group_leader.entry_meta.source.subdomain: + dashed_name: process-parent-group-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.parent.group_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.parent.group_leader.entry_meta.source.top_level_domain: + dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.parent.group_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.parent.group_leader.entry_meta.type: + dashed_name: process-parent-group-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.parent.group_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.parent.group_leader.env_vars: + dashed_name: process-parent-group-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.parent.group_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.executable: + dashed_name: process-parent-group-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.parent.group_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.parent.group_leader.exit_code: + dashed_name: process-parent-group-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.parent.group_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.parent.group_leader.group.domain: + dashed_name: process-parent-group-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.group.id: + dashed_name: process-parent-group-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.group.name: + dashed_name: process-parent-group-leader-group-name + description: Name of the group. + flat_name: process.parent.group_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.group_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.parent.group_leader.hash.md5: + dashed_name: process-parent-group-leader-hash-md5 + description: MD5 hash. + flat_name: process.parent.group_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.parent.group_leader.hash.sha1: + dashed_name: process-parent-group-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.parent.group_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.parent.group_leader.hash.sha256: + dashed_name: process-parent-group-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.parent.group_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.parent.group_leader.hash.sha384: + dashed_name: process-parent-group-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.parent.group_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.parent.group_leader.hash.sha512: + dashed_name: process-parent-group-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.parent.group_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.parent.group_leader.hash.ssdeep: + dashed_name: process-parent-group-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.group_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.parent.group_leader.hash.tlsh: + dashed_name: process-parent-group-leader-hash-tlsh + description: TLSH hash. + flat_name: process.parent.group_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.parent.group_leader.interactive: + dashed_name: process-parent-group-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.parent.group_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.parent.group_leader.io: + dashed_name: process-parent-group-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.parent.group_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.parent.group_leader.io.bytes_skipped: + dashed_name: process-parent-group-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.parent.group_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.parent.group_leader.io.bytes_skipped.length: + dashed_name: process-parent-group-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.parent.group_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.parent.group_leader.io.bytes_skipped.offset: + dashed_name: process-parent-group-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.parent.group_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.parent.group_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.parent.group_leader.io.text: + dashed_name: process-parent-group-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.parent.group_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.parent.group_leader.io.total_bytes_captured: + dashed_name: process-parent-group-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.parent.group_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.parent.group_leader.io.total_bytes_skipped: + dashed_name: process-parent-group-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.parent.group_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.parent.group_leader.io.type: + dashed_name: process-parent-group-leader-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.parent.group_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.parent.group_leader.macho.go_import_hash: + dashed_name: process-parent-group-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.group_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.parent.group_leader.macho.go_imports: + dashed_name: process-parent-group-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.group_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.parent.group_leader.macho.go_imports_names_entropy: + dashed_name: process-parent-group-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.parent.group_leader.macho.go_imports_names_var_entropy: + dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.parent.group_leader.macho.go_stripped: + dashed_name: process-parent-group-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.group_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.group_leader.macho.import_hash: + dashed_name: process-parent-group-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.group_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.parent.group_leader.macho.imports: + dashed_name: process-parent-group-leader-macho-imports + description: List of imported element names and types. + flat_name: process.parent.group_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.parent.group_leader.macho.imports_names_entropy: + dashed_name: process-parent-group-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.group_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.group_leader.macho.imports_names_var_entropy: + dashed_name: process-parent-group-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.group_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.group_leader.macho.sections: + dashed_name: process-parent-group-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.parent.group_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.parent.group_leader.macho.sections.entropy: + dashed_name: process-parent-group-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.parent.group_leader.macho.sections.name: + dashed_name: process-parent-group-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.parent.group_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.parent.group_leader.macho.sections.physical_size: + dashed_name: process-parent-group-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.parent.group_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.parent.group_leader.macho.sections.var_entropy: + dashed_name: process-parent-group-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.group_leader.macho.sections.virtual_size: + dashed_name: process-parent-group-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.group_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.parent.group_leader.macho.symhash: + dashed_name: process-parent-group-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.parent.group_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.parent.group_leader.name: + dashed_name: process-parent-group-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.parent.group_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.parent.group_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.parent.group_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.parent.group_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.parent.group_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.parent.group_leader.pe.architecture: + dashed_name: process-parent-group-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.parent.group_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.parent.group_leader.pe.company: + dashed_name: process-parent-group-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.parent.group_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.parent.group_leader.pe.description: + dashed_name: process-parent-group-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.group_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.parent.group_leader.pe.file_version: + dashed_name: process-parent-group-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.group_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.parent.group_leader.pe.go_import_hash: + dashed_name: process-parent-group-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.group_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.parent.group_leader.pe.go_imports: + dashed_name: process-parent-group-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.group_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.parent.group_leader.pe.go_imports_names_entropy: + dashed_name: process-parent-group-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.parent.group_leader.pe.go_imports_names_var_entropy: + dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.parent.group_leader.pe.go_stripped: + dashed_name: process-parent-group-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.group_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.group_leader.pe.imphash: + dashed_name: process-parent-group-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.group_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.parent.group_leader.pe.import_hash: + dashed_name: process-parent-group-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.group_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.parent.group_leader.pe.imports: + dashed_name: process-parent-group-leader-pe-imports + description: List of imported element names and types. + flat_name: process.parent.group_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.parent.group_leader.pe.imports_names_entropy: + dashed_name: process-parent-group-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.group_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.group_leader.pe.imports_names_var_entropy: + dashed_name: process-parent-group-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.group_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.group_leader.pe.original_file_name: + dashed_name: process-parent-group-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.group_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.parent.group_leader.pe.pehash: + dashed_name: process-parent-group-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.parent.group_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.parent.group_leader.pe.product: + dashed_name: process-parent-group-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.parent.group_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.parent.group_leader.pe.sections: + dashed_name: process-parent-group-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.parent.group_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.parent.group_leader.pe.sections.entropy: + dashed_name: process-parent-group-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.parent.group_leader.pe.sections.name: + dashed_name: process-parent-group-leader-pe-sections-name + description: PE Section List name. + flat_name: process.parent.group_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.parent.group_leader.pe.sections.physical_size: + dashed_name: process-parent-group-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.parent.group_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.parent.group_leader.pe.sections.var_entropy: + dashed_name: process-parent-group-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.group_leader.pe.sections.virtual_size: + dashed_name: process-parent-group-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.group_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.parent.group_leader.pid: + dashed_name: process-parent-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.parent.group_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.parent.group_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.parent.group_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.parent.group_leader.real_group.domain: + dashed_name: process-parent-group-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.real_group.id: + dashed_name: process-parent-group-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.real_group.name: + dashed_name: process-parent-group-leader-real-group-name + description: Name of the group. + flat_name: process.parent.group_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.real_user.domain: + dashed_name: process-parent-group-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.group_leader.real_user.email: + dashed_name: process-parent-group-leader-real-user-email + description: User email address. + flat_name: process.parent.group_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.group_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.group_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.group_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.group_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.group_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.group_leader.real_user.entity.id: + dashed_name: process-parent-group-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.group_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.group_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.group_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.group_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.group_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.group_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.group_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.group_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.group_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.group_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.group_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.group_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.group_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.group_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.group_leader.real_user.full_name: + dashed_name: process-parent-group-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.group_leader.real_user.group.domain: + dashed_name: process-parent-group-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.real_user.group.id: + dashed_name: process-parent-group-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.real_user.group.name: + dashed_name: process-parent-group-leader-real-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.real_user.hash: + dashed_name: process-parent-group-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.group_leader.real_user.id: + dashed_name: process-parent-group-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.group_leader.real_user.name: + dashed_name: process-parent-group-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.group_leader.real_user.risk.calculated_level: + dashed_name: process-parent-group-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.group_leader.real_user.risk.calculated_score: + dashed_name: process-parent-group-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.group_leader.real_user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.group_leader.real_user.risk.static_level: + dashed_name: process-parent-group-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.group_leader.real_user.risk.static_score: + dashed_name: process-parent-group-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.group_leader.real_user.risk.static_score_norm: + dashed_name: process-parent-group-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.group_leader.real_user.roles: + dashed_name: process-parent-group-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.same_as_process: + dashed_name: process-parent-group-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.parent.group_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.parent.group_leader.saved_group.domain: + dashed_name: process-parent-group-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.saved_group.id: + dashed_name: process-parent-group-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.saved_group.name: + dashed_name: process-parent-group-leader-saved-group-name + description: Name of the group. + flat_name: process.parent.group_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.saved_user.domain: + dashed_name: process-parent-group-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.group_leader.saved_user.email: + dashed_name: process-parent-group-leader-saved-user-email + description: User email address. + flat_name: process.parent.group_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.group_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.group_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.group_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.group_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.group_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.group_leader.saved_user.entity.id: + dashed_name: process-parent-group-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.group_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.group_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.group_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.group_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.group_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.group_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.group_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.group_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.group_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.group_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.group_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.group_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.group_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.group_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.group_leader.saved_user.full_name: + dashed_name: process-parent-group-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.group_leader.saved_user.group.domain: + dashed_name: process-parent-group-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.saved_user.group.id: + dashed_name: process-parent-group-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.saved_user.group.name: + dashed_name: process-parent-group-leader-saved-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.saved_user.hash: + dashed_name: process-parent-group-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.group_leader.saved_user.id: + dashed_name: process-parent-group-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.group_leader.saved_user.name: + dashed_name: process-parent-group-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.group_leader.saved_user.risk.calculated_level: + dashed_name: process-parent-group-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.group_leader.saved_user.risk.calculated_score: + dashed_name: process-parent-group-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.group_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.group_leader.saved_user.risk.static_level: + dashed_name: process-parent-group-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.group_leader.saved_user.risk.static_score: + dashed_name: process-parent-group-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.group_leader.saved_user.risk.static_score_norm: + dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.group_leader.saved_user.roles: + dashed_name: process-parent-group-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.start: + dashed_name: process-parent-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.parent.group_leader.supplemental_groups.domain: + dashed_name: process-parent-group-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.supplemental_groups.id: + dashed_name: process-parent-group-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.supplemental_groups.name: + dashed_name: process-parent-group-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.parent.group_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.thread.capabilities.effective: + dashed_name: process-parent-group-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.group_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.thread.capabilities.permitted: + dashed_name: process-parent-group-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.group_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.thread.id: + dashed_name: process-parent-group-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.group_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.parent.group_leader.thread.name: + dashed_name: process-parent-group-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.group_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.parent.group_leader.title: + dashed_name: process-parent-group-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.parent.group_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.parent.group_leader.tty: + dashed_name: process-parent-group-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.parent.group_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.parent.group_leader.tty.char_device.major: + dashed_name: process-parent-group-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.parent.group_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.parent.group_leader.tty.char_device.minor: + dashed_name: process-parent-group-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.parent.group_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.parent.group_leader.tty.columns: + dashed_name: process-parent-group-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.parent.group_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.parent.group_leader.tty.rows: + dashed_name: process-parent-group-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.parent.group_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.parent.group_leader.uptime: + dashed_name: process-parent-group-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.group_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.parent.group_leader.user.domain: + dashed_name: process-parent-group-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.group_leader.user.email: + dashed_name: process-parent-group-leader-user-email + description: User email address. + flat_name: process.parent.group_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.group_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.group_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.group_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.group_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.group_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.group_leader.user.entity.id: + dashed_name: process-parent-group-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.group_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.group_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.group_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.group_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.group_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.group_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.group_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.group_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.group_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.group_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.group_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.group_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.group_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.group_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.group_leader.user.full_name: + dashed_name: process-parent-group-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.group_leader.user.group.domain: + dashed_name: process-parent-group-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.group_leader.user.group.id: + dashed_name: process-parent-group-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.group_leader.user.group.name: + dashed_name: process-parent-group-leader-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.group_leader.user.hash: + dashed_name: process-parent-group-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.group_leader.user.id: + dashed_name: process-parent-group-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.group_leader.user.name: + dashed_name: process-parent-group-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.group_leader.user.risk.calculated_level: + dashed_name: process-parent-group-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.group_leader.user.risk.calculated_score: + dashed_name: process-parent-group-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.group_leader.user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.group_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.group_leader.user.risk.static_level: + dashed_name: process-parent-group-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.group_leader.user.risk.static_score: + dashed_name: process-parent-group-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.group_leader.user.risk.static_score_norm: + dashed_name: process-parent-group-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.group_leader.user.roles: + dashed_name: process-parent-group-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.group_leader.vpid: + dashed_name: process-parent-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.parent.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.parent.group_leader.working_directory: + dashed_name: process-parent-group-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.parent.group_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.parent.hash.md5: + dashed_name: process-parent-hash-md5 + description: MD5 hash. + flat_name: process.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.parent.hash.sha1: + dashed_name: process-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.parent.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.parent.hash.sha256: + dashed_name: process-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.parent.hash.sha384: + dashed_name: process-parent-hash-sha384 + description: SHA384 hash. + flat_name: process.parent.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.parent.hash.sha512: + dashed_name: process-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.parent.hash.tlsh: + dashed_name: process-parent-hash-tlsh + description: TLSH hash. + flat_name: process.parent.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.parent.interactive: + dashed_name: process-parent-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.parent.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.parent.io: + dashed_name: process-parent-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.parent.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.parent.io.bytes_skipped: + dashed_name: process-parent-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.parent.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.parent.io.bytes_skipped.length: + dashed_name: process-parent-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.parent.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.parent.io.bytes_skipped.offset: + dashed_name: process-parent-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.parent.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.parent.io.max_bytes_per_process_exceeded: + dashed_name: process-parent-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.parent.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.parent.io.text: + dashed_name: process-parent-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.parent.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.parent.io.total_bytes_captured: + dashed_name: process-parent-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.parent.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.parent.io.total_bytes_skipped: + dashed_name: process-parent-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.parent.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.parent.io.type: + dashed_name: process-parent-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.parent.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.parent.macho.go_import_hash: + dashed_name: process-parent-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.parent.macho.go_imports: + dashed_name: process-parent-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.parent.macho.go_imports_names_entropy: + dashed_name: process-parent-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.parent.macho.go_imports_names_var_entropy: + dashed_name: process-parent-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.parent.macho.go_stripped: + dashed_name: process-parent-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.macho.import_hash: + dashed_name: process-parent-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.parent.macho.imports: + dashed_name: process-parent-macho-imports + description: List of imported element names and types. + flat_name: process.parent.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.parent.macho.imports_names_entropy: + dashed_name: process-parent-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.macho.imports_names_var_entropy: + dashed_name: process-parent-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.macho.sections: + dashed_name: process-parent-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.parent.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.parent.macho.sections.entropy: + dashed_name: process-parent-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.parent.macho.sections.name: + dashed_name: process-parent-macho-sections-name + description: Mach-O Section List name. + flat_name: process.parent.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.parent.macho.sections.physical_size: + dashed_name: process-parent-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.parent.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.parent.macho.sections.var_entropy: + dashed_name: process-parent-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.macho.sections.virtual_size: + dashed_name: process-parent-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.parent.macho.symhash: + dashed_name: process-parent-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.parent.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.parent.name: + dashed_name: process-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.parent.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.parent.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.parent.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.parent.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.parent.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.parent.pe.architecture: + dashed_name: process-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.parent.pe.company: + dashed_name: process-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.parent.pe.description: + dashed_name: process-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.parent.pe.go_import_hash: + dashed_name: process-parent-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.parent.pe.go_imports: + dashed_name: process-parent-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.parent.pe.go_imports_names_entropy: + dashed_name: process-parent-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.parent.pe.go_imports_names_var_entropy: + dashed_name: process-parent-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.parent.pe.go_stripped: + dashed_name: process-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.parent.pe.import_hash: + dashed_name: process-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of imported element names and types. + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.parent.pe.imports_names_entropy: + dashed_name: process-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.pe.imports_names_var_entropy: + dashed_name: process-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.pe.original_file_name: + dashed_name: process-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.parent.pe.pehash: + dashed_name: process-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.parent.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.parent.pe.product: + dashed_name: process-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: PE Section List name. + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.parent.pe.sections.physical_size: + dashed_name: process-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.parent.pe.sections.var_entropy: + dashed_name: process-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.pe.sections.virtual_size: + dashed_name: process-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.parent.pid: + dashed_name: process-parent-pid + description: Process id. + example: 4242 + flat_name: process.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.parent.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-parent-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.parent.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.parent.real_group.domain: + dashed_name: process-parent-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.real_group.id: + dashed_name: process-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.real_group.name: + dashed_name: process-parent-real-group-name + description: Name of the group. + flat_name: process.parent.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.real_user.domain: + dashed_name: process-parent-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.real_user.email: + dashed_name: process-parent-real-user-email + description: User email address. + flat_name: process.parent.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.real_user.entity.id: + dashed_name: process-parent-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.real_user.full_name: + dashed_name: process-parent-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.real_user.group.domain: + dashed_name: process-parent-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.real_user.group.id: + dashed_name: process-parent-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.real_user.group.name: + dashed_name: process-parent-real-user-group-name + description: Name of the group. + flat_name: process.parent.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.real_user.hash: + dashed_name: process-parent-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.real_user.id: + dashed_name: process-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.real_user.name: + dashed_name: process-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.real_user.risk.calculated_level: + dashed_name: process-parent-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.real_user.risk.calculated_score: + dashed_name: process-parent-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.real_user.risk.calculated_score_norm: + dashed_name: process-parent-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.real_user.risk.static_level: + dashed_name: process-parent-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.real_user.risk.static_score: + dashed_name: process-parent-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.real_user.risk.static_score_norm: + dashed_name: process-parent-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.real_user.roles: + dashed_name: process-parent-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.same_as_process: + dashed_name: process-parent-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.parent.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.parent.saved_group.domain: + dashed_name: process-parent-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.saved_group.id: + dashed_name: process-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.saved_group.name: + dashed_name: process-parent-saved-group-name + description: Name of the group. + flat_name: process.parent.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.saved_user.domain: + dashed_name: process-parent-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.saved_user.email: + dashed_name: process-parent-saved-user-email + description: User email address. + flat_name: process.parent.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.saved_user.entity.id: + dashed_name: process-parent-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.saved_user.full_name: + dashed_name: process-parent-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.saved_user.group.domain: + dashed_name: process-parent-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.saved_user.group.id: + dashed_name: process-parent-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.saved_user.group.name: + dashed_name: process-parent-saved-user-group-name + description: Name of the group. + flat_name: process.parent.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.saved_user.hash: + dashed_name: process-parent-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.saved_user.id: + dashed_name: process-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.saved_user.name: + dashed_name: process-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.saved_user.risk.calculated_level: + dashed_name: process-parent-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.saved_user.risk.calculated_score: + dashed_name: process-parent-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.saved_user.risk.calculated_score_norm: + dashed_name: process-parent-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.saved_user.risk.static_level: + dashed_name: process-parent-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.saved_user.risk.static_score: + dashed_name: process-parent-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.saved_user.risk.static_score_norm: + dashed_name: process-parent-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.saved_user.roles: + dashed_name: process-parent-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.start: + dashed_name: process-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.parent.supplemental_groups.domain: + dashed_name: process-parent-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.supplemental_groups.id: + dashed_name: process-parent-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.supplemental_groups.name: + dashed_name: process-parent-supplemental-groups-name + description: Name of the group. + flat_name: process.parent.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.parent.thread.id: + dashed_name: process-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.parent.thread.name: + dashed_name: process-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.parent.title: + dashed_name: process-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.parent.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.parent.tty: + dashed_name: process-parent-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.parent.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.parent.tty.char_device.major: + dashed_name: process-parent-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.parent.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.parent.tty.char_device.minor: + dashed_name: process-parent-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.parent.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.parent.tty.columns: + dashed_name: process-parent-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.parent.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.parent.tty.rows: + dashed_name: process-parent-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.parent.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.parent.uptime: + dashed_name: process-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.parent.user.domain: + dashed_name: process-parent-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.parent.user.email: + dashed_name: process-parent-user-email + description: User email address. + flat_name: process.parent.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.parent.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.parent.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.parent.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.parent.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.parent.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.parent.user.entity.id: + dashed_name: process-parent-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.parent.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.parent.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.parent.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.parent.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.parent.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.parent.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.parent.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.parent.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.parent.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.parent.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.parent.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.parent.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.parent.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.parent.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.parent.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.parent.user.full_name: + dashed_name: process-parent-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.parent.user.group.domain: + dashed_name: process-parent-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.parent.user.group.id: + dashed_name: process-parent-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.parent.user.group.name: + dashed_name: process-parent-user-group-name + description: Name of the group. + flat_name: process.parent.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.parent.user.hash: + dashed_name: process-parent-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.parent.user.id: + dashed_name: process-parent-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.user.name: + dashed_name: process-parent-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.parent.user.risk.calculated_level: + dashed_name: process-parent-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.parent.user.risk.calculated_score: + dashed_name: process-parent-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.parent.user.risk.calculated_score_norm: + dashed_name: process-parent-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.parent.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.parent.user.risk.static_level: + dashed_name: process-parent-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.parent.user.risk.static_score: + dashed_name: process-parent-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.parent.user.risk.static_score_norm: + dashed_name: process-parent-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.parent.user.roles: + dashed_name: process-parent-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.parent.vpid: + dashed_name: process-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.parent.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.parent.working_directory: + dashed_name: process-parent-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.parent.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.pe.architecture: + dashed_name: process-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.pe.go_import_hash: + dashed_name: process-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.pe.go_imports: + dashed_name: process-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.pe.go_imports_names_entropy: + dashed_name: process-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.pe.go_imports_names_var_entropy: + dashed_name: process-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.pe.go_stripped: + dashed_name: process-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.pe.imphash: + dashed_name: process-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.pe.import_hash: + dashed_name: process-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.pe.imports: + dashed_name: process-pe-imports + description: List of imported element names and types. + flat_name: process.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.pe.imports_names_entropy: + dashed_name: process-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.pe.imports_names_var_entropy: + dashed_name: process-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.pe.pehash: + dashed_name: process-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.pe.sections: + dashed_name: process-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.pe.sections.name: + dashed_name: process-pe-sections-name + description: PE Section List name. + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.pe.sections.physical_size: + dashed_name: process-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.pe.sections.var_entropy: + dashed_name: process-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.pe.sections.virtual_size: + dashed_name: process-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.pid: + dashed_name: process-pid + description: Process id. + example: 4242 + flat_name: process.pid + format: string + level: core + name: pid + normalize: [] + otel: + - relation: match + short: Process id. + type: long +process.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.platform_binary + level: extended + name: platform_binary + normalize: [] + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.previous.args: + dashed_name: process-previous-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.previous.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.previous.args_count: + dashed_name: process-previous-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.previous.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.previous.attested_groups.domain: + dashed_name: process-previous-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.attested_groups.id: + dashed_name: process-previous-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.attested_groups.name: + dashed_name: process-previous-attested-groups-name + description: Name of the group. + flat_name: process.previous.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.attested_user.domain: + dashed_name: process-previous-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.previous.attested_user.email: + dashed_name: process-previous-attested-user-email + description: User email address. + flat_name: process.previous.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.previous.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.previous.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.previous.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.previous.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.previous.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.previous.attested_user.entity.id: + dashed_name: process-previous-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.previous.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.previous.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.previous.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.previous.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.previous.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.previous.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.previous.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.previous.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.previous.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.previous.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.previous.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.previous.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.previous.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.previous.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.previous.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.previous.attested_user.full_name: + dashed_name: process-previous-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.previous.attested_user.group.domain: + dashed_name: process-previous-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.attested_user.group.id: + dashed_name: process-previous-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.attested_user.group.name: + dashed_name: process-previous-attested-user-group-name + description: Name of the group. + flat_name: process.previous.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.attested_user.hash: + dashed_name: process-previous-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.previous.attested_user.id: + dashed_name: process-previous-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.previous.attested_user.name: + dashed_name: process-previous-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.previous.attested_user.risk.calculated_level: + dashed_name: process-previous-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.previous.attested_user.risk.calculated_score: + dashed_name: process-previous-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.previous.attested_user.risk.calculated_score_norm: + dashed_name: process-previous-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.previous.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.previous.attested_user.risk.static_level: + dashed_name: process-previous-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.previous.attested_user.risk.static_score: + dashed_name: process-previous-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.previous.attested_user.risk.static_score_norm: + dashed_name: process-previous-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.previous.attested_user.roles: + dashed_name: process-previous-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.previous.code_signature.digest_algorithm: + dashed_name: process-previous-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.previous.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.previous.code_signature.exists: + dashed_name: process-previous-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.previous.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.previous.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-previous-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.previous.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.previous.code_signature.signing_id: + dashed_name: process-previous-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.previous.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.previous.code_signature.status: + dashed_name: process-previous-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.previous.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.previous.code_signature.subject_name: + dashed_name: process-previous-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.previous.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.previous.code_signature.team_id: + dashed_name: process-previous-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.previous.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.previous.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-previous-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.previous.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.previous.code_signature.timestamp: + dashed_name: process-previous-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.previous.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.previous.code_signature.trusted: + dashed_name: process-previous-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.previous.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.previous.code_signature.valid: + dashed_name: process-previous-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.previous.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.previous.command_line: + dashed_name: process-previous-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.previous.command_line + level: extended + multi_fields: + - flat_name: process.previous.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.previous.elf.architecture: + dashed_name: process-previous-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.previous.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.previous.elf.byte_order: + dashed_name: process-previous-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.previous.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.previous.elf.cpu_type: + dashed_name: process-previous-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.previous.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.previous.elf.creation_date: + dashed_name: process-previous-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.previous.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.previous.elf.exports: + dashed_name: process-previous-elf-exports + description: List of exported element names and types. + flat_name: process.previous.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.previous.elf.go_import_hash: + dashed_name: process-previous-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.previous.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.previous.elf.go_imports: + dashed_name: process-previous-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.previous.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.previous.elf.go_imports_names_entropy: + dashed_name: process-previous-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.previous.elf.go_imports_names_var_entropy: + dashed_name: process-previous-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.previous.elf.go_stripped: + dashed_name: process-previous-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.previous.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.previous.elf.header.abi_version: + dashed_name: process-previous-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.previous.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.previous.elf.header.class: + dashed_name: process-previous-elf-header-class + description: Header class of the ELF file. + flat_name: process.previous.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.previous.elf.header.data: + dashed_name: process-previous-elf-header-data + description: Data table of the ELF header. + flat_name: process.previous.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.previous.elf.header.entrypoint: + dashed_name: process-previous-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.previous.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.previous.elf.header.object_version: + dashed_name: process-previous-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.previous.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.previous.elf.header.os_abi: + dashed_name: process-previous-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.previous.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.previous.elf.header.type: + dashed_name: process-previous-elf-header-type + description: Header type of the ELF file. + flat_name: process.previous.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.previous.elf.header.version: + dashed_name: process-previous-elf-header-version + description: Version of the ELF header. + flat_name: process.previous.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.previous.elf.import_hash: + dashed_name: process-previous-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.previous.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.previous.elf.imports: + dashed_name: process-previous-elf-imports + description: List of imported element names and types. + flat_name: process.previous.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.previous.elf.imports_names_entropy: + dashed_name: process-previous-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.previous.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.previous.elf.imports_names_var_entropy: + dashed_name: process-previous-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.previous.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.previous.elf.sections: + dashed_name: process-previous-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.previous.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.previous.elf.sections.chi2: + dashed_name: process-previous-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.previous.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.previous.elf.sections.entropy: + dashed_name: process-previous-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.previous.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.previous.elf.sections.flags: + dashed_name: process-previous-elf-sections-flags + description: ELF Section List flags. + flat_name: process.previous.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.previous.elf.sections.name: + dashed_name: process-previous-elf-sections-name + description: ELF Section List name. + flat_name: process.previous.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.previous.elf.sections.physical_offset: + dashed_name: process-previous-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.previous.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.previous.elf.sections.physical_size: + dashed_name: process-previous-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.previous.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.previous.elf.sections.type: + dashed_name: process-previous-elf-sections-type + description: ELF Section List type. + flat_name: process.previous.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.previous.elf.sections.var_entropy: + dashed_name: process-previous-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.previous.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.previous.elf.sections.virtual_address: + dashed_name: process-previous-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.previous.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.previous.elf.sections.virtual_size: + dashed_name: process-previous-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.previous.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.previous.elf.segments: + dashed_name: process-previous-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.previous.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.previous.elf.segments.sections: + dashed_name: process-previous-elf-segments-sections + description: ELF object segment sections. + flat_name: process.previous.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.previous.elf.segments.type: + dashed_name: process-previous-elf-segments-type + description: ELF object segment type. + flat_name: process.previous.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.previous.elf.shared_libraries: + dashed_name: process-previous-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.previous.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.previous.elf.telfhash: + dashed_name: process-previous-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.previous.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.previous.end: + dashed_name: process-previous-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.previous.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.previous.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-previous-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.previous.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.previous.entity_id: + dashed_name: process-previous-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.previous.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.previous.entry_meta.source.address: + dashed_name: process-previous-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.previous.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.previous.entry_meta.source.as.number: + dashed_name: process-previous-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.previous.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.previous.entry_meta.source.as.organization.name: + dashed_name: process-previous-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.previous.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.previous.entry_meta.source.bytes: + dashed_name: process-previous-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.previous.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.previous.entry_meta.source.domain: + dashed_name: process-previous-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.previous.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.previous.entry_meta.source.geo.city_name: + dashed_name: process-previous-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.previous.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.previous.entry_meta.source.geo.continent_code: + dashed_name: process-previous-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.previous.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.previous.entry_meta.source.geo.continent_name: + dashed_name: process-previous-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.previous.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.previous.entry_meta.source.geo.country_iso_code: + dashed_name: process-previous-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.previous.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.previous.entry_meta.source.geo.country_name: + dashed_name: process-previous-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.previous.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.previous.entry_meta.source.geo.location: + dashed_name: process-previous-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.previous.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.previous.entry_meta.source.geo.name: + dashed_name: process-previous-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.previous.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.previous.entry_meta.source.geo.postal_code: + dashed_name: process-previous-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.previous.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.previous.entry_meta.source.geo.region_iso_code: + dashed_name: process-previous-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.previous.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.previous.entry_meta.source.geo.region_name: + dashed_name: process-previous-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.previous.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.previous.entry_meta.source.geo.timezone: + dashed_name: process-previous-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.previous.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.previous.entry_meta.source.ip: + dashed_name: process-previous-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.previous.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.previous.entry_meta.source.mac: + dashed_name: process-previous-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.previous.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.previous.entry_meta.source.nat.ip: + dashed_name: process-previous-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.previous.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.previous.entry_meta.source.nat.port: + dashed_name: process-previous-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.previous.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.previous.entry_meta.source.packets: + dashed_name: process-previous-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.previous.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.previous.entry_meta.source.port: + dashed_name: process-previous-entry-meta-source-port + description: Port of the source. + flat_name: process.previous.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.previous.entry_meta.source.registered_domain: + dashed_name: process-previous-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.previous.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.previous.entry_meta.source.subdomain: + dashed_name: process-previous-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.previous.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.previous.entry_meta.source.top_level_domain: + dashed_name: process-previous-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.previous.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.previous.entry_meta.type: + dashed_name: process-previous-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.previous.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.previous.env_vars: + dashed_name: process-previous-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.previous.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.previous.executable: + dashed_name: process-previous-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.previous.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.previous.exit_code: + dashed_name: process-previous-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.previous.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.previous.group.domain: + dashed_name: process-previous-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.group.id: + dashed_name: process-previous-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.group.name: + dashed_name: process-previous-group-name + description: Name of the group. + flat_name: process.previous.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-previous-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.previous.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.previous.hash.md5: + dashed_name: process-previous-hash-md5 + description: MD5 hash. + flat_name: process.previous.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.previous.hash.sha1: + dashed_name: process-previous-hash-sha1 + description: SHA1 hash. + flat_name: process.previous.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.previous.hash.sha256: + dashed_name: process-previous-hash-sha256 + description: SHA256 hash. + flat_name: process.previous.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.previous.hash.sha384: + dashed_name: process-previous-hash-sha384 + description: SHA384 hash. + flat_name: process.previous.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.previous.hash.sha512: + dashed_name: process-previous-hash-sha512 + description: SHA512 hash. + flat_name: process.previous.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.previous.hash.ssdeep: + dashed_name: process-previous-hash-ssdeep + description: SSDEEP hash. + flat_name: process.previous.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.previous.hash.tlsh: + dashed_name: process-previous-hash-tlsh + description: TLSH hash. + flat_name: process.previous.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.previous.interactive: + dashed_name: process-previous-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.previous.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.previous.io: + dashed_name: process-previous-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.previous.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.previous.io.bytes_skipped: + dashed_name: process-previous-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.previous.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.previous.io.bytes_skipped.length: + dashed_name: process-previous-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.previous.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.previous.io.bytes_skipped.offset: + dashed_name: process-previous-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.previous.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.previous.io.max_bytes_per_process_exceeded: + dashed_name: process-previous-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.previous.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.previous.io.text: + dashed_name: process-previous-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.previous.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.previous.io.total_bytes_captured: + dashed_name: process-previous-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.previous.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.previous.io.total_bytes_skipped: + dashed_name: process-previous-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.previous.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.previous.io.type: + dashed_name: process-previous-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.previous.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.previous.macho.go_import_hash: + dashed_name: process-previous-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.previous.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.previous.macho.go_imports: + dashed_name: process-previous-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.previous.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.previous.macho.go_imports_names_entropy: + dashed_name: process-previous-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.previous.macho.go_imports_names_var_entropy: + dashed_name: process-previous-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.previous.macho.go_stripped: + dashed_name: process-previous-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.previous.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.previous.macho.import_hash: + dashed_name: process-previous-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.previous.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.previous.macho.imports: + dashed_name: process-previous-macho-imports + description: List of imported element names and types. + flat_name: process.previous.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.previous.macho.imports_names_entropy: + dashed_name: process-previous-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.previous.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.previous.macho.imports_names_var_entropy: + dashed_name: process-previous-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.previous.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.previous.macho.sections: + dashed_name: process-previous-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.previous.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.previous.macho.sections.entropy: + dashed_name: process-previous-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.previous.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.previous.macho.sections.name: + dashed_name: process-previous-macho-sections-name + description: Mach-O Section List name. + flat_name: process.previous.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.previous.macho.sections.physical_size: + dashed_name: process-previous-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.previous.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.previous.macho.sections.var_entropy: + dashed_name: process-previous-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.previous.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.previous.macho.sections.virtual_size: + dashed_name: process-previous-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.previous.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.previous.macho.symhash: + dashed_name: process-previous-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.previous.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.previous.name: + dashed_name: process-previous-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.previous.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.previous.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-previous-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.previous.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.previous.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-previous-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.previous.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.previous.pe.architecture: + dashed_name: process-previous-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.previous.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.previous.pe.company: + dashed_name: process-previous-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.previous.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.previous.pe.description: + dashed_name: process-previous-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.previous.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.previous.pe.file_version: + dashed_name: process-previous-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.previous.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.previous.pe.go_import_hash: + dashed_name: process-previous-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.previous.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.previous.pe.go_imports: + dashed_name: process-previous-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.previous.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.previous.pe.go_imports_names_entropy: + dashed_name: process-previous-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.previous.pe.go_imports_names_var_entropy: + dashed_name: process-previous-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.previous.pe.go_stripped: + dashed_name: process-previous-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.previous.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.previous.pe.imphash: + dashed_name: process-previous-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.previous.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.previous.pe.import_hash: + dashed_name: process-previous-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.previous.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.previous.pe.imports: + dashed_name: process-previous-pe-imports + description: List of imported element names and types. + flat_name: process.previous.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.previous.pe.imports_names_entropy: + dashed_name: process-previous-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.previous.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.previous.pe.imports_names_var_entropy: + dashed_name: process-previous-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.previous.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.previous.pe.original_file_name: + dashed_name: process-previous-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.previous.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.previous.pe.pehash: + dashed_name: process-previous-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.previous.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.previous.pe.product: + dashed_name: process-previous-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.previous.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.previous.pe.sections: + dashed_name: process-previous-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.previous.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.previous.pe.sections.entropy: + dashed_name: process-previous-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.previous.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.previous.pe.sections.name: + dashed_name: process-previous-pe-sections-name + description: PE Section List name. + flat_name: process.previous.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.previous.pe.sections.physical_size: + dashed_name: process-previous-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.previous.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.previous.pe.sections.var_entropy: + dashed_name: process-previous-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.previous.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.previous.pe.sections.virtual_size: + dashed_name: process-previous-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.previous.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.previous.pid: + dashed_name: process-previous-pid + description: Process id. + example: 4242 + flat_name: process.previous.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.previous.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-previous-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.previous.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.previous.real_group.domain: + dashed_name: process-previous-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.real_group.id: + dashed_name: process-previous-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.real_group.name: + dashed_name: process-previous-real-group-name + description: Name of the group. + flat_name: process.previous.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.real_user.domain: + dashed_name: process-previous-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.previous.real_user.email: + dashed_name: process-previous-real-user-email + description: User email address. + flat_name: process.previous.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.previous.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.previous.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.previous.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.previous.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.previous.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.previous.real_user.entity.id: + dashed_name: process-previous-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.previous.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.previous.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.previous.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.previous.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.previous.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.previous.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.previous.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.previous.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.previous.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.previous.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.previous.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.previous.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.previous.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.previous.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.previous.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.previous.real_user.full_name: + dashed_name: process-previous-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.previous.real_user.group.domain: + dashed_name: process-previous-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.real_user.group.id: + dashed_name: process-previous-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.real_user.group.name: + dashed_name: process-previous-real-user-group-name + description: Name of the group. + flat_name: process.previous.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.real_user.hash: + dashed_name: process-previous-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.previous.real_user.id: + dashed_name: process-previous-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.previous.real_user.name: + dashed_name: process-previous-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.previous.real_user.risk.calculated_level: + dashed_name: process-previous-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.previous.real_user.risk.calculated_score: + dashed_name: process-previous-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.previous.real_user.risk.calculated_score_norm: + dashed_name: process-previous-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.previous.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.previous.real_user.risk.static_level: + dashed_name: process-previous-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.previous.real_user.risk.static_score: + dashed_name: process-previous-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.previous.real_user.risk.static_score_norm: + dashed_name: process-previous-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.previous.real_user.roles: + dashed_name: process-previous-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.previous.same_as_process: + dashed_name: process-previous-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.previous.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.previous.saved_group.domain: + dashed_name: process-previous-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.saved_group.id: + dashed_name: process-previous-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.saved_group.name: + dashed_name: process-previous-saved-group-name + description: Name of the group. + flat_name: process.previous.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.saved_user.domain: + dashed_name: process-previous-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.previous.saved_user.email: + dashed_name: process-previous-saved-user-email + description: User email address. + flat_name: process.previous.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.previous.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.previous.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.previous.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.previous.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.previous.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.previous.saved_user.entity.id: + dashed_name: process-previous-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.previous.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.previous.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.previous.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.previous.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.previous.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.previous.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.previous.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.previous.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.previous.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.previous.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.previous.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.previous.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.previous.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.previous.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.previous.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.previous.saved_user.full_name: + dashed_name: process-previous-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.previous.saved_user.group.domain: + dashed_name: process-previous-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.saved_user.group.id: + dashed_name: process-previous-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.saved_user.group.name: + dashed_name: process-previous-saved-user-group-name + description: Name of the group. + flat_name: process.previous.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.saved_user.hash: + dashed_name: process-previous-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.previous.saved_user.id: + dashed_name: process-previous-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.previous.saved_user.name: + dashed_name: process-previous-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.previous.saved_user.risk.calculated_level: + dashed_name: process-previous-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.previous.saved_user.risk.calculated_score: + dashed_name: process-previous-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.previous.saved_user.risk.calculated_score_norm: + dashed_name: process-previous-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.previous.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.previous.saved_user.risk.static_level: + dashed_name: process-previous-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.previous.saved_user.risk.static_score: + dashed_name: process-previous-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.previous.saved_user.risk.static_score_norm: + dashed_name: process-previous-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.previous.saved_user.roles: + dashed_name: process-previous-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.previous.start: + dashed_name: process-previous-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.previous.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.previous.supplemental_groups.domain: + dashed_name: process-previous-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.supplemental_groups.id: + dashed_name: process-previous-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.supplemental_groups.name: + dashed_name: process-previous-supplemental-groups-name + description: Name of the group. + flat_name: process.previous.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.thread.capabilities.effective: + dashed_name: process-previous-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.previous.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.previous.thread.capabilities.permitted: + dashed_name: process-previous-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.previous.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.previous.thread.id: + dashed_name: process-previous-thread-id + description: Thread ID. + example: 4242 + flat_name: process.previous.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.previous.thread.name: + dashed_name: process-previous-thread-name + description: Thread name. + example: thread-0 + flat_name: process.previous.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.previous.title: + dashed_name: process-previous-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.previous.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.previous.tty: + dashed_name: process-previous-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.previous.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.previous.tty.char_device.major: + dashed_name: process-previous-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.previous.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.previous.tty.char_device.minor: + dashed_name: process-previous-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.previous.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.previous.tty.columns: + dashed_name: process-previous-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.previous.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.previous.tty.rows: + dashed_name: process-previous-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.previous.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.previous.uptime: + dashed_name: process-previous-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.previous.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.previous.user.domain: + dashed_name: process-previous-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.previous.user.email: + dashed_name: process-previous-user-email + description: User email address. + flat_name: process.previous.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.previous.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.previous.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.previous.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.previous.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.previous.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.previous.user.entity.id: + dashed_name: process-previous-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.previous.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.previous.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.previous.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.previous.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.previous.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.previous.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.previous.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.previous.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.previous.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.previous.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.previous.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.previous.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.previous.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.previous.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.previous.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.previous.user.full_name: + dashed_name: process-previous-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.previous.user.group.domain: + dashed_name: process-previous-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.previous.user.group.id: + dashed_name: process-previous-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.previous.user.group.name: + dashed_name: process-previous-user-group-name + description: Name of the group. + flat_name: process.previous.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.previous.user.hash: + dashed_name: process-previous-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.previous.user.id: + dashed_name: process-previous-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.previous.user.name: + dashed_name: process-previous-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.previous.user.risk.calculated_level: + dashed_name: process-previous-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.previous.user.risk.calculated_score: + dashed_name: process-previous-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.previous.user.risk.calculated_score_norm: + dashed_name: process-previous-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.previous.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.previous.user.risk.static_level: + dashed_name: process-previous-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.previous.user.risk.static_score: + dashed_name: process-previous-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.previous.user.risk.static_score_norm: + dashed_name: process-previous-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.previous.user.roles: + dashed_name: process-previous-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.previous.vpid: + dashed_name: process-previous-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.previous.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.previous.working_directory: + dashed_name: process-previous-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.previous.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.real_group.domain: + dashed_name: process-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.real_group.id: + dashed_name: process-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.real_group.name: + dashed_name: process-real-group-name + description: Name of the group. + flat_name: process.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.real_user.domain: + dashed_name: process-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.real_user.email: + dashed_name: process-real-user-email + description: User email address. + flat_name: process.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.real_user.entity.id: + dashed_name: process-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.real_user.full_name: + dashed_name: process-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.real_user.group.domain: + dashed_name: process-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.real_user.group.id: + dashed_name: process-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.real_user.group.name: + dashed_name: process-real-user-group-name + description: Name of the group. + flat_name: process.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.real_user.hash: + dashed_name: process-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.real_user.id: + dashed_name: process-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Unique identifier of the user. + type: keyword +process.real_user.name: + dashed_name: process-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Short name or login of the user. + type: keyword +process.real_user.risk.calculated_level: + dashed_name: process-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.real_user.risk.calculated_score: + dashed_name: process-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.real_user.risk.calculated_score_norm: + dashed_name: process-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.real_user.risk.static_level: + dashed_name: process-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.real_user.risk.static_score: + dashed_name: process-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.real_user.risk.static_score_norm: + dashed_name: process-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.real_user.roles: + dashed_name: process-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.responsible.args: + dashed_name: process-responsible-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.responsible.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.responsible.args_count: + dashed_name: process-responsible-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.responsible.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.responsible.attested_groups.domain: + dashed_name: process-responsible-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.attested_groups.id: + dashed_name: process-responsible-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.attested_groups.name: + dashed_name: process-responsible-attested-groups-name + description: Name of the group. + flat_name: process.responsible.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.attested_user.domain: + dashed_name: process-responsible-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.responsible.attested_user.email: + dashed_name: process-responsible-attested-user-email + description: User email address. + flat_name: process.responsible.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.responsible.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.responsible.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.responsible.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.responsible.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.responsible.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.responsible.attested_user.entity.id: + dashed_name: process-responsible-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.responsible.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.responsible.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.responsible.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.responsible.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.responsible.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.responsible.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.responsible.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.responsible.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.responsible.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.responsible.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.responsible.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.responsible.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.responsible.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.responsible.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.responsible.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.responsible.attested_user.full_name: + dashed_name: process-responsible-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.responsible.attested_user.group.domain: + dashed_name: process-responsible-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.attested_user.group.id: + dashed_name: process-responsible-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.attested_user.group.name: + dashed_name: process-responsible-attested-user-group-name + description: Name of the group. + flat_name: process.responsible.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.attested_user.hash: + dashed_name: process-responsible-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.responsible.attested_user.id: + dashed_name: process-responsible-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.responsible.attested_user.name: + dashed_name: process-responsible-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.responsible.attested_user.risk.calculated_level: + dashed_name: process-responsible-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.responsible.attested_user.risk.calculated_score: + dashed_name: process-responsible-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.responsible.attested_user.risk.calculated_score_norm: + dashed_name: process-responsible-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.responsible.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.responsible.attested_user.risk.static_level: + dashed_name: process-responsible-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.responsible.attested_user.risk.static_score: + dashed_name: process-responsible-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.responsible.attested_user.risk.static_score_norm: + dashed_name: process-responsible-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.responsible.attested_user.roles: + dashed_name: process-responsible-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.responsible.code_signature.digest_algorithm: + dashed_name: process-responsible-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.responsible.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.responsible.code_signature.exists: + dashed_name: process-responsible-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.responsible.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.responsible.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-responsible-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.responsible.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.responsible.code_signature.signing_id: + dashed_name: process-responsible-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.responsible.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.responsible.code_signature.status: + dashed_name: process-responsible-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.responsible.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.responsible.code_signature.subject_name: + dashed_name: process-responsible-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.responsible.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.responsible.code_signature.team_id: + dashed_name: process-responsible-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.responsible.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.responsible.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-responsible-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.responsible.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.responsible.code_signature.timestamp: + dashed_name: process-responsible-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.responsible.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.responsible.code_signature.trusted: + dashed_name: process-responsible-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.responsible.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.responsible.code_signature.valid: + dashed_name: process-responsible-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.responsible.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.responsible.command_line: + dashed_name: process-responsible-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.responsible.command_line + level: extended + multi_fields: + - flat_name: process.responsible.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.responsible.elf.architecture: + dashed_name: process-responsible-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.responsible.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.responsible.elf.byte_order: + dashed_name: process-responsible-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.responsible.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.responsible.elf.cpu_type: + dashed_name: process-responsible-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.responsible.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.responsible.elf.creation_date: + dashed_name: process-responsible-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.responsible.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.responsible.elf.exports: + dashed_name: process-responsible-elf-exports + description: List of exported element names and types. + flat_name: process.responsible.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.responsible.elf.go_import_hash: + dashed_name: process-responsible-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.responsible.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.responsible.elf.go_imports: + dashed_name: process-responsible-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.responsible.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.responsible.elf.go_imports_names_entropy: + dashed_name: process-responsible-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.responsible.elf.go_imports_names_var_entropy: + dashed_name: process-responsible-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.responsible.elf.go_stripped: + dashed_name: process-responsible-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.responsible.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.responsible.elf.header.abi_version: + dashed_name: process-responsible-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.responsible.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.responsible.elf.header.class: + dashed_name: process-responsible-elf-header-class + description: Header class of the ELF file. + flat_name: process.responsible.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.responsible.elf.header.data: + dashed_name: process-responsible-elf-header-data + description: Data table of the ELF header. + flat_name: process.responsible.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.responsible.elf.header.entrypoint: + dashed_name: process-responsible-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.responsible.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.responsible.elf.header.object_version: + dashed_name: process-responsible-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.responsible.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.responsible.elf.header.os_abi: + dashed_name: process-responsible-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.responsible.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.responsible.elf.header.type: + dashed_name: process-responsible-elf-header-type + description: Header type of the ELF file. + flat_name: process.responsible.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.responsible.elf.header.version: + dashed_name: process-responsible-elf-header-version + description: Version of the ELF header. + flat_name: process.responsible.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.responsible.elf.import_hash: + dashed_name: process-responsible-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.responsible.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.responsible.elf.imports: + dashed_name: process-responsible-elf-imports + description: List of imported element names and types. + flat_name: process.responsible.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.responsible.elf.imports_names_entropy: + dashed_name: process-responsible-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.responsible.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.responsible.elf.imports_names_var_entropy: + dashed_name: process-responsible-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.responsible.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.responsible.elf.sections: + dashed_name: process-responsible-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.responsible.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.responsible.elf.sections.chi2: + dashed_name: process-responsible-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.responsible.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.responsible.elf.sections.entropy: + dashed_name: process-responsible-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.responsible.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.responsible.elf.sections.flags: + dashed_name: process-responsible-elf-sections-flags + description: ELF Section List flags. + flat_name: process.responsible.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.responsible.elf.sections.name: + dashed_name: process-responsible-elf-sections-name + description: ELF Section List name. + flat_name: process.responsible.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.responsible.elf.sections.physical_offset: + dashed_name: process-responsible-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.responsible.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.responsible.elf.sections.physical_size: + dashed_name: process-responsible-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.responsible.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.responsible.elf.sections.type: + dashed_name: process-responsible-elf-sections-type + description: ELF Section List type. + flat_name: process.responsible.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.responsible.elf.sections.var_entropy: + dashed_name: process-responsible-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.responsible.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.responsible.elf.sections.virtual_address: + dashed_name: process-responsible-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.responsible.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.responsible.elf.sections.virtual_size: + dashed_name: process-responsible-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.responsible.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.responsible.elf.segments: + dashed_name: process-responsible-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.responsible.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.responsible.elf.segments.sections: + dashed_name: process-responsible-elf-segments-sections + description: ELF object segment sections. + flat_name: process.responsible.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.responsible.elf.segments.type: + dashed_name: process-responsible-elf-segments-type + description: ELF object segment type. + flat_name: process.responsible.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.responsible.elf.shared_libraries: + dashed_name: process-responsible-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.responsible.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.responsible.elf.telfhash: + dashed_name: process-responsible-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.responsible.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.responsible.end: + dashed_name: process-responsible-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.responsible.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.responsible.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-responsible-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.responsible.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.responsible.entity_id: + dashed_name: process-responsible-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.responsible.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.responsible.entry_meta.source.address: + dashed_name: process-responsible-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.responsible.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.responsible.entry_meta.source.as.number: + dashed_name: process-responsible-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.responsible.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.responsible.entry_meta.source.as.organization.name: + dashed_name: process-responsible-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.responsible.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.responsible.entry_meta.source.bytes: + dashed_name: process-responsible-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.responsible.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.responsible.entry_meta.source.domain: + dashed_name: process-responsible-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.responsible.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.responsible.entry_meta.source.geo.city_name: + dashed_name: process-responsible-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.responsible.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.responsible.entry_meta.source.geo.continent_code: + dashed_name: process-responsible-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.responsible.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.responsible.entry_meta.source.geo.continent_name: + dashed_name: process-responsible-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.responsible.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.responsible.entry_meta.source.geo.country_iso_code: + dashed_name: process-responsible-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.responsible.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.responsible.entry_meta.source.geo.country_name: + dashed_name: process-responsible-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.responsible.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.responsible.entry_meta.source.geo.location: + dashed_name: process-responsible-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.responsible.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.responsible.entry_meta.source.geo.name: + dashed_name: process-responsible-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.responsible.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.responsible.entry_meta.source.geo.postal_code: + dashed_name: process-responsible-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.responsible.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.responsible.entry_meta.source.geo.region_iso_code: + dashed_name: process-responsible-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.responsible.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.responsible.entry_meta.source.geo.region_name: + dashed_name: process-responsible-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.responsible.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.responsible.entry_meta.source.geo.timezone: + dashed_name: process-responsible-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.responsible.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.responsible.entry_meta.source.ip: + dashed_name: process-responsible-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.responsible.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.responsible.entry_meta.source.mac: + dashed_name: process-responsible-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.responsible.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.responsible.entry_meta.source.nat.ip: + dashed_name: process-responsible-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.responsible.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.responsible.entry_meta.source.nat.port: + dashed_name: process-responsible-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.responsible.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.responsible.entry_meta.source.packets: + dashed_name: process-responsible-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.responsible.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.responsible.entry_meta.source.port: + dashed_name: process-responsible-entry-meta-source-port + description: Port of the source. + flat_name: process.responsible.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.responsible.entry_meta.source.registered_domain: + dashed_name: process-responsible-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.responsible.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.responsible.entry_meta.source.subdomain: + dashed_name: process-responsible-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.responsible.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.responsible.entry_meta.source.top_level_domain: + dashed_name: process-responsible-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.responsible.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.responsible.entry_meta.type: + dashed_name: process-responsible-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.responsible.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.responsible.env_vars: + dashed_name: process-responsible-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.responsible.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.responsible.executable: + dashed_name: process-responsible-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.responsible.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.responsible.exit_code: + dashed_name: process-responsible-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.responsible.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.responsible.group.domain: + dashed_name: process-responsible-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.group.id: + dashed_name: process-responsible-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.group.name: + dashed_name: process-responsible-group-name + description: Name of the group. + flat_name: process.responsible.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-responsible-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.responsible.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.responsible.hash.md5: + dashed_name: process-responsible-hash-md5 + description: MD5 hash. + flat_name: process.responsible.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.responsible.hash.sha1: + dashed_name: process-responsible-hash-sha1 + description: SHA1 hash. + flat_name: process.responsible.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.responsible.hash.sha256: + dashed_name: process-responsible-hash-sha256 + description: SHA256 hash. + flat_name: process.responsible.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.responsible.hash.sha384: + dashed_name: process-responsible-hash-sha384 + description: SHA384 hash. + flat_name: process.responsible.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.responsible.hash.sha512: + dashed_name: process-responsible-hash-sha512 + description: SHA512 hash. + flat_name: process.responsible.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.responsible.hash.ssdeep: + dashed_name: process-responsible-hash-ssdeep + description: SSDEEP hash. + flat_name: process.responsible.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.responsible.hash.tlsh: + dashed_name: process-responsible-hash-tlsh + description: TLSH hash. + flat_name: process.responsible.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.responsible.interactive: + dashed_name: process-responsible-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.responsible.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.responsible.io: + dashed_name: process-responsible-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.responsible.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.responsible.io.bytes_skipped: + dashed_name: process-responsible-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.responsible.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.responsible.io.bytes_skipped.length: + dashed_name: process-responsible-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.responsible.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.responsible.io.bytes_skipped.offset: + dashed_name: process-responsible-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.responsible.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.responsible.io.max_bytes_per_process_exceeded: + dashed_name: process-responsible-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.responsible.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.responsible.io.text: + dashed_name: process-responsible-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.responsible.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.responsible.io.total_bytes_captured: + dashed_name: process-responsible-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.responsible.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.responsible.io.total_bytes_skipped: + dashed_name: process-responsible-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.responsible.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.responsible.io.type: + dashed_name: process-responsible-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.responsible.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.responsible.macho.go_import_hash: + dashed_name: process-responsible-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.responsible.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.responsible.macho.go_imports: + dashed_name: process-responsible-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.responsible.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.responsible.macho.go_imports_names_entropy: + dashed_name: process-responsible-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.responsible.macho.go_imports_names_var_entropy: + dashed_name: process-responsible-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.responsible.macho.go_stripped: + dashed_name: process-responsible-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.responsible.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.responsible.macho.import_hash: + dashed_name: process-responsible-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.responsible.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.responsible.macho.imports: + dashed_name: process-responsible-macho-imports + description: List of imported element names and types. + flat_name: process.responsible.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.responsible.macho.imports_names_entropy: + dashed_name: process-responsible-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.responsible.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.responsible.macho.imports_names_var_entropy: + dashed_name: process-responsible-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.responsible.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.responsible.macho.sections: + dashed_name: process-responsible-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.responsible.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.responsible.macho.sections.entropy: + dashed_name: process-responsible-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.responsible.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.responsible.macho.sections.name: + dashed_name: process-responsible-macho-sections-name + description: Mach-O Section List name. + flat_name: process.responsible.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.responsible.macho.sections.physical_size: + dashed_name: process-responsible-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.responsible.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.responsible.macho.sections.var_entropy: + dashed_name: process-responsible-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.responsible.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.responsible.macho.sections.virtual_size: + dashed_name: process-responsible-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.responsible.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.responsible.macho.symhash: + dashed_name: process-responsible-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.responsible.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.responsible.name: + dashed_name: process-responsible-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.responsible.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.responsible.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-responsible-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.responsible.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.responsible.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-responsible-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.responsible.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.responsible.pe.architecture: + dashed_name: process-responsible-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.responsible.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.responsible.pe.company: + dashed_name: process-responsible-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.responsible.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.responsible.pe.description: + dashed_name: process-responsible-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.responsible.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.responsible.pe.file_version: + dashed_name: process-responsible-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.responsible.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.responsible.pe.go_import_hash: + dashed_name: process-responsible-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.responsible.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.responsible.pe.go_imports: + dashed_name: process-responsible-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.responsible.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.responsible.pe.go_imports_names_entropy: + dashed_name: process-responsible-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.responsible.pe.go_imports_names_var_entropy: + dashed_name: process-responsible-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.responsible.pe.go_stripped: + dashed_name: process-responsible-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.responsible.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.responsible.pe.imphash: + dashed_name: process-responsible-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.responsible.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.responsible.pe.import_hash: + dashed_name: process-responsible-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.responsible.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.responsible.pe.imports: + dashed_name: process-responsible-pe-imports + description: List of imported element names and types. + flat_name: process.responsible.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.responsible.pe.imports_names_entropy: + dashed_name: process-responsible-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.responsible.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.responsible.pe.imports_names_var_entropy: + dashed_name: process-responsible-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.responsible.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.responsible.pe.original_file_name: + dashed_name: process-responsible-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.responsible.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.responsible.pe.pehash: + dashed_name: process-responsible-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.responsible.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.responsible.pe.product: + dashed_name: process-responsible-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.responsible.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.responsible.pe.sections: + dashed_name: process-responsible-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.responsible.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.responsible.pe.sections.entropy: + dashed_name: process-responsible-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.responsible.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.responsible.pe.sections.name: + dashed_name: process-responsible-pe-sections-name + description: PE Section List name. + flat_name: process.responsible.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.responsible.pe.sections.physical_size: + dashed_name: process-responsible-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.responsible.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.responsible.pe.sections.var_entropy: + dashed_name: process-responsible-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.responsible.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.responsible.pe.sections.virtual_size: + dashed_name: process-responsible-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.responsible.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.responsible.pid: + dashed_name: process-responsible-pid + description: Process id. + example: 4242 + flat_name: process.responsible.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.responsible.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-responsible-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.responsible.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.responsible.real_group.domain: + dashed_name: process-responsible-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.real_group.id: + dashed_name: process-responsible-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.real_group.name: + dashed_name: process-responsible-real-group-name + description: Name of the group. + flat_name: process.responsible.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.real_user.domain: + dashed_name: process-responsible-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.responsible.real_user.email: + dashed_name: process-responsible-real-user-email + description: User email address. + flat_name: process.responsible.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.responsible.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.responsible.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.responsible.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.responsible.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.responsible.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.responsible.real_user.entity.id: + dashed_name: process-responsible-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.responsible.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.responsible.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.responsible.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.responsible.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.responsible.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.responsible.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.responsible.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.responsible.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.responsible.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.responsible.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.responsible.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.responsible.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.responsible.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.responsible.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.responsible.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.responsible.real_user.full_name: + dashed_name: process-responsible-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.responsible.real_user.group.domain: + dashed_name: process-responsible-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.real_user.group.id: + dashed_name: process-responsible-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.real_user.group.name: + dashed_name: process-responsible-real-user-group-name + description: Name of the group. + flat_name: process.responsible.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.real_user.hash: + dashed_name: process-responsible-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.responsible.real_user.id: + dashed_name: process-responsible-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.responsible.real_user.name: + dashed_name: process-responsible-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.responsible.real_user.risk.calculated_level: + dashed_name: process-responsible-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.responsible.real_user.risk.calculated_score: + dashed_name: process-responsible-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.responsible.real_user.risk.calculated_score_norm: + dashed_name: process-responsible-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.responsible.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.responsible.real_user.risk.static_level: + dashed_name: process-responsible-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.responsible.real_user.risk.static_score: + dashed_name: process-responsible-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.responsible.real_user.risk.static_score_norm: + dashed_name: process-responsible-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.responsible.real_user.roles: + dashed_name: process-responsible-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.responsible.same_as_process: + dashed_name: process-responsible-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.responsible.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.responsible.saved_group.domain: + dashed_name: process-responsible-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.saved_group.id: + dashed_name: process-responsible-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.saved_group.name: + dashed_name: process-responsible-saved-group-name + description: Name of the group. + flat_name: process.responsible.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.saved_user.domain: + dashed_name: process-responsible-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.responsible.saved_user.email: + dashed_name: process-responsible-saved-user-email + description: User email address. + flat_name: process.responsible.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.responsible.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.responsible.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.responsible.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.responsible.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.responsible.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.responsible.saved_user.entity.id: + dashed_name: process-responsible-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.responsible.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.responsible.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.responsible.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.responsible.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.responsible.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.responsible.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.responsible.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.responsible.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.responsible.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.responsible.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.responsible.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.responsible.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.responsible.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.responsible.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.responsible.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.responsible.saved_user.full_name: + dashed_name: process-responsible-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.responsible.saved_user.group.domain: + dashed_name: process-responsible-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.saved_user.group.id: + dashed_name: process-responsible-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.saved_user.group.name: + dashed_name: process-responsible-saved-user-group-name + description: Name of the group. + flat_name: process.responsible.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.saved_user.hash: + dashed_name: process-responsible-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.responsible.saved_user.id: + dashed_name: process-responsible-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.responsible.saved_user.name: + dashed_name: process-responsible-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.responsible.saved_user.risk.calculated_level: + dashed_name: process-responsible-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.responsible.saved_user.risk.calculated_score: + dashed_name: process-responsible-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.responsible.saved_user.risk.calculated_score_norm: + dashed_name: process-responsible-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.responsible.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.responsible.saved_user.risk.static_level: + dashed_name: process-responsible-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.responsible.saved_user.risk.static_score: + dashed_name: process-responsible-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.responsible.saved_user.risk.static_score_norm: + dashed_name: process-responsible-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.responsible.saved_user.roles: + dashed_name: process-responsible-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.responsible.start: + dashed_name: process-responsible-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.responsible.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.responsible.supplemental_groups.domain: + dashed_name: process-responsible-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.supplemental_groups.id: + dashed_name: process-responsible-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.supplemental_groups.name: + dashed_name: process-responsible-supplemental-groups-name + description: Name of the group. + flat_name: process.responsible.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.thread.capabilities.effective: + dashed_name: process-responsible-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.responsible.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.responsible.thread.capabilities.permitted: + dashed_name: process-responsible-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.responsible.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.responsible.thread.id: + dashed_name: process-responsible-thread-id + description: Thread ID. + example: 4242 + flat_name: process.responsible.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.responsible.thread.name: + dashed_name: process-responsible-thread-name + description: Thread name. + example: thread-0 + flat_name: process.responsible.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.responsible.title: + dashed_name: process-responsible-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.responsible.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword +process.responsible.tty: + dashed_name: process-responsible-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.responsible.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.responsible.tty.char_device.major: + dashed_name: process-responsible-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.responsible.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.responsible.tty.char_device.minor: + dashed_name: process-responsible-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.responsible.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.responsible.tty.columns: + dashed_name: process-responsible-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.responsible.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.responsible.tty.rows: + dashed_name: process-responsible-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.responsible.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.responsible.uptime: + dashed_name: process-responsible-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.responsible.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.responsible.user.domain: + dashed_name: process-responsible-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.responsible.user.email: + dashed_name: process-responsible-user-email + description: User email address. + flat_name: process.responsible.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.responsible.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.responsible.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.responsible.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.responsible.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.responsible.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.responsible.user.entity.id: + dashed_name: process-responsible-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.responsible.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.responsible.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.responsible.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.responsible.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.responsible.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.responsible.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.responsible.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.responsible.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.responsible.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.responsible.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.responsible.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.responsible.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.responsible.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.responsible.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.responsible.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.responsible.user.full_name: + dashed_name: process-responsible-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.responsible.user.group.domain: + dashed_name: process-responsible-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.responsible.user.group.id: + dashed_name: process-responsible-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.responsible.user.group.name: + dashed_name: process-responsible-user-group-name + description: Name of the group. + flat_name: process.responsible.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.responsible.user.hash: + dashed_name: process-responsible-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.responsible.user.id: + dashed_name: process-responsible-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.responsible.user.name: + dashed_name: process-responsible-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.responsible.user.risk.calculated_level: + dashed_name: process-responsible-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.responsible.user.risk.calculated_score: + dashed_name: process-responsible-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.responsible.user.risk.calculated_score_norm: + dashed_name: process-responsible-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.responsible.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.responsible.user.risk.static_level: + dashed_name: process-responsible-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.responsible.user.risk.static_score: + dashed_name: process-responsible-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.responsible.user.risk.static_score_norm: + dashed_name: process-responsible-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.responsible.user.roles: + dashed_name: process-responsible-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.responsible.vpid: + dashed_name: process-responsible-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.responsible.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.responsible.working_directory: + dashed_name: process-responsible-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.responsible.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword +process.same_as_process: + dashed_name: process-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.same_as_process + level: extended + name: same_as_process + normalize: [] + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.saved_group.domain: + dashed_name: process-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.saved_group.id: + dashed_name: process-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.saved_group.name: + dashed_name: process-saved-group-name + description: Name of the group. + flat_name: process.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.saved_user.domain: + dashed_name: process-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.saved_user.email: + dashed_name: process-saved-user-email + description: User email address. + flat_name: process.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.saved_user.entity.id: + dashed_name: process-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.saved_user.full_name: + dashed_name: process-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.saved_user.group.domain: + dashed_name: process-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.saved_user.group.id: + dashed_name: process-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.saved_user.group.name: + dashed_name: process-saved-user-group-name + description: Name of the group. + flat_name: process.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.saved_user.hash: + dashed_name: process-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.saved_user.id: + dashed_name: process-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Unique identifier of the user. + type: keyword +process.saved_user.name: + dashed_name: process-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Short name or login of the user. + type: keyword +process.saved_user.risk.calculated_level: + dashed_name: process-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.saved_user.risk.calculated_score: + dashed_name: process-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.saved_user.risk.calculated_score_norm: + dashed_name: process-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.saved_user.risk.static_level: + dashed_name: process-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.saved_user.risk.static_score: + dashed_name: process-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.saved_user.risk.static_score_norm: + dashed_name: process-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.saved_user.roles: + dashed_name: process-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.args: + dashed_name: process-session-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.session_leader.args_count: + dashed_name: process-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.session_leader.attested_groups.domain: + dashed_name: process-session-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.attested_groups.id: + dashed_name: process-session-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.attested_groups.name: + dashed_name: process-session-leader-attested-groups-name + description: Name of the group. + flat_name: process.session_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.attested_user.domain: + dashed_name: process-session-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.attested_user.email: + dashed_name: process-session-leader-attested-user-email + description: User email address. + flat_name: process.session_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.attested_user.entity.id: + dashed_name: process-session-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.attested_user.full_name: + dashed_name: process-session-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.attested_user.group.domain: + dashed_name: process-session-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.attested_user.group.id: + dashed_name: process-session-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.attested_user.group.name: + dashed_name: process-session-leader-attested-user-group-name + description: Name of the group. + flat_name: process.session_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.attested_user.hash: + dashed_name: process-session-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.attested_user.id: + dashed_name: process-session-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.attested_user.name: + dashed_name: process-session-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.attested_user.risk.calculated_level: + dashed_name: process-session-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.attested_user.risk.calculated_score: + dashed_name: process-session-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-session-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.attested_user.risk.static_level: + dashed_name: process-session-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.attested_user.risk.static_score: + dashed_name: process-session-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.attested_user.risk.static_score_norm: + dashed_name: process-session-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.attested_user.roles: + dashed_name: process-session-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.code_signature.digest_algorithm: + dashed_name: process-session-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.session_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.session_leader.code_signature.exists: + dashed_name: process-session-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.session_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.session_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.session_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.session_leader.code_signature.signing_id: + dashed_name: process-session-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.session_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.session_leader.code_signature.status: + dashed_name: process-session-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.session_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.session_leader.code_signature.subject_name: + dashed_name: process-session-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.session_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.session_leader.code_signature.team_id: + dashed_name: process-session-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.session_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.session_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.session_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.session_leader.code_signature.timestamp: + dashed_name: process-session-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.session_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.session_leader.code_signature.trusted: + dashed_name: process-session-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.session_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.session_leader.code_signature.valid: + dashed_name: process-session-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.session_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.session_leader.command_line: + dashed_name: process-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.session_leader.elf.architecture: + dashed_name: process-session-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.session_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.session_leader.elf.byte_order: + dashed_name: process-session-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.session_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.session_leader.elf.cpu_type: + dashed_name: process-session-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.session_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.session_leader.elf.creation_date: + dashed_name: process-session-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.session_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.session_leader.elf.exports: + dashed_name: process-session-leader-elf-exports + description: List of exported element names and types. + flat_name: process.session_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.session_leader.elf.go_import_hash: + dashed_name: process-session-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.session_leader.elf.go_imports: + dashed_name: process-session-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.session_leader.elf.go_imports_names_entropy: + dashed_name: process-session-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.elf.go_imports_names_var_entropy: + dashed_name: process-session-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.elf.go_stripped: + dashed_name: process-session-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.elf.header.abi_version: + dashed_name: process-session-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.session_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.session_leader.elf.header.class: + dashed_name: process-session-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.session_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.session_leader.elf.header.data: + dashed_name: process-session-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.session_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.session_leader.elf.header.entrypoint: + dashed_name: process-session-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.session_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.session_leader.elf.header.object_version: + dashed_name: process-session-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.session_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.session_leader.elf.header.os_abi: + dashed_name: process-session-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.session_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.session_leader.elf.header.type: + dashed_name: process-session-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.session_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.session_leader.elf.header.version: + dashed_name: process-session-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.session_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.session_leader.elf.import_hash: + dashed_name: process-session-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.session_leader.elf.imports: + dashed_name: process-session-leader-elf-imports + description: List of imported element names and types. + flat_name: process.session_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.session_leader.elf.imports_names_entropy: + dashed_name: process-session-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.elf.imports_names_var_entropy: + dashed_name: process-session-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.elf.sections: + dashed_name: process-session-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.session_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.session_leader.elf.sections.chi2: + dashed_name: process-session-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.session_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.session_leader.elf.sections.entropy: + dashed_name: process-session-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.session_leader.elf.sections.flags: + dashed_name: process-session-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.session_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.session_leader.elf.sections.name: + dashed_name: process-session-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.session_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.session_leader.elf.sections.physical_offset: + dashed_name: process-session-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.session_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.session_leader.elf.sections.physical_size: + dashed_name: process-session-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.session_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.session_leader.elf.sections.type: + dashed_name: process-session-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.session_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.session_leader.elf.sections.var_entropy: + dashed_name: process-session-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.elf.sections.virtual_address: + dashed_name: process-session-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.session_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.session_leader.elf.sections.virtual_size: + dashed_name: process-session-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.session_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.session_leader.elf.segments: + dashed_name: process-session-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.session_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.session_leader.elf.segments.sections: + dashed_name: process-session-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.session_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.session_leader.elf.segments.type: + dashed_name: process-session-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.session_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.session_leader.elf.shared_libraries: + dashed_name: process-session-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.session_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.session_leader.elf.telfhash: + dashed_name: process-session-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.session_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.session_leader.end: + dashed_name: process-session-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.session_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.session_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.session_leader.entity_id: + dashed_name: process-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.session_leader.entry_meta.source.address: + dashed_name: process-session-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.session_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.session_leader.entry_meta.source.as.number: + dashed_name: process-session-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.session_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.session_leader.entry_meta.source.as.organization.name: + dashed_name: process-session-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.session_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.session_leader.entry_meta.source.bytes: + dashed_name: process-session-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.session_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.session_leader.entry_meta.source.domain: + dashed_name: process-session-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.session_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.session_leader.entry_meta.source.geo.city_name: + dashed_name: process-session-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.session_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.session_leader.entry_meta.source.geo.continent_code: + dashed_name: process-session-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.session_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.session_leader.entry_meta.source.geo.continent_name: + dashed_name: process-session-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.session_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.session_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.session_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.session_leader.entry_meta.source.geo.country_name: + dashed_name: process-session-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.session_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.session_leader.entry_meta.source.geo.location: + dashed_name: process-session-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.session_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.session_leader.entry_meta.source.geo.name: + dashed_name: process-session-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.session_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.session_leader.entry_meta.source.geo.postal_code: + dashed_name: process-session-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.session_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.session_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.session_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.session_leader.entry_meta.source.geo.region_name: + dashed_name: process-session-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.session_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.session_leader.entry_meta.source.geo.timezone: + dashed_name: process-session-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.session_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.session_leader.entry_meta.source.ip: + dashed_name: process-session-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.session_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.session_leader.entry_meta.source.mac: + dashed_name: process-session-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.session_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.session_leader.entry_meta.source.nat.ip: + dashed_name: process-session-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.session_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.session_leader.entry_meta.source.nat.port: + dashed_name: process-session-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.session_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.session_leader.entry_meta.source.packets: + dashed_name: process-session-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.session_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.session_leader.entry_meta.source.port: + dashed_name: process-session-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.session_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.session_leader.entry_meta.source.registered_domain: + dashed_name: process-session-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.session_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.session_leader.entry_meta.source.subdomain: + dashed_name: process-session-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.session_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.session_leader.entry_meta.source.top_level_domain: + dashed_name: process-session-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.session_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.session_leader.entry_meta.type: + dashed_name: process-session-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.session_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.session_leader.env_vars: + dashed_name: process-session-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.session_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.session_leader.executable: + dashed_name: process-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.session_leader.exit_code: + dashed_name: process-session-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.session_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.session_leader.group.domain: + dashed_name: process-session-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.group.id: + dashed_name: process-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.group.name: + dashed_name: process-session-leader-group-name + description: Name of the group. + flat_name: process.session_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.session_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.session_leader.hash.md5: + dashed_name: process-session-leader-hash-md5 + description: MD5 hash. + flat_name: process.session_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.session_leader.hash.sha1: + dashed_name: process-session-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.session_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.session_leader.hash.sha256: + dashed_name: process-session-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.session_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.session_leader.hash.sha384: + dashed_name: process-session-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.session_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.session_leader.hash.sha512: + dashed_name: process-session-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.session_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.session_leader.hash.ssdeep: + dashed_name: process-session-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.session_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.session_leader.hash.tlsh: + dashed_name: process-session-leader-hash-tlsh + description: TLSH hash. + flat_name: process.session_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.session_leader.interactive: + dashed_name: process-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.session_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.session_leader.io: + dashed_name: process-session-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.session_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.session_leader.io.bytes_skipped: + dashed_name: process-session-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.session_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.session_leader.io.bytes_skipped.length: + dashed_name: process-session-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.session_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.session_leader.io.bytes_skipped.offset: + dashed_name: process-session-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.session_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.session_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-session-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.session_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.session_leader.io.text: + dashed_name: process-session-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.session_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.session_leader.io.total_bytes_captured: + dashed_name: process-session-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.session_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.session_leader.io.total_bytes_skipped: + dashed_name: process-session-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.session_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.session_leader.io.type: + dashed_name: process-session-leader-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.session_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.session_leader.macho.go_import_hash: + dashed_name: process-session-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.session_leader.macho.go_imports: + dashed_name: process-session-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.session_leader.macho.go_imports_names_entropy: + dashed_name: process-session-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.macho.go_imports_names_var_entropy: + dashed_name: process-session-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.macho.go_stripped: + dashed_name: process-session-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.macho.import_hash: + dashed_name: process-session-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.session_leader.macho.imports: + dashed_name: process-session-leader-macho-imports + description: List of imported element names and types. + flat_name: process.session_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.session_leader.macho.imports_names_entropy: + dashed_name: process-session-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.macho.imports_names_var_entropy: + dashed_name: process-session-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.macho.sections: + dashed_name: process-session-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.session_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.session_leader.macho.sections.entropy: + dashed_name: process-session-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.session_leader.macho.sections.name: + dashed_name: process-session-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.session_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.session_leader.macho.sections.physical_size: + dashed_name: process-session-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.session_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.session_leader.macho.sections.var_entropy: + dashed_name: process-session-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.macho.sections.virtual_size: + dashed_name: process-session-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.session_leader.macho.symhash: + dashed_name: process-session-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.session_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.session_leader.name: + dashed_name: process-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.session_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.session_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.session_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.session_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.session_leader.parent.args: + dashed_name: process-session-leader-parent-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.parent.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.session_leader.parent.args_count: + dashed_name: process-session-leader-parent-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.session_leader.parent.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.session_leader.parent.attested_groups.domain: + dashed_name: process-session-leader-parent-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.attested_groups.id: + dashed_name: process-session-leader-parent-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.attested_groups.name: + dashed_name: process-session-leader-parent-attested-groups-name + description: Name of the group. + flat_name: process.session_leader.parent.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.attested_user.domain: + dashed_name: process-session-leader-parent-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.attested_user.email: + dashed_name: process-session-leader-parent-attested-user-email + description: User email address. + flat_name: process.session_leader.parent.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.attested_user.entity.id: + dashed_name: process-session-leader-parent-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.attested_user.full_name: + dashed_name: process-session-leader-parent-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.attested_user.group.domain: + dashed_name: process-session-leader-parent-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.attested_user.group.id: + dashed_name: process-session-leader-parent-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.attested_user.group.name: + dashed_name: process-session-leader-parent-attested-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.attested_user.hash: + dashed_name: process-session-leader-parent-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.attested_user.id: + dashed_name: process-session-leader-parent-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.parent.attested_user.name: + dashed_name: process-session-leader-parent-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.parent.attested_user.risk.calculated_level: + dashed_name: process-session-leader-parent-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.parent.attested_user.risk.calculated_score: + dashed_name: process-session-leader-parent-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.attested_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.attested_user.risk.static_level: + dashed_name: process-session-leader-parent-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.parent.attested_user.risk.static_score: + dashed_name: process-session-leader-parent-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.attested_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.attested_user.roles: + dashed_name: process-session-leader-parent-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.code_signature.digest_algorithm: + dashed_name: process-session-leader-parent-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.session_leader.parent.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.session_leader.parent.code_signature.exists: + dashed_name: process-session-leader-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.session_leader.parent.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.session_leader.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.session_leader.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.session_leader.parent.code_signature.signing_id: + dashed_name: process-session-leader-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.session_leader.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.session_leader.parent.code_signature.status: + dashed_name: process-session-leader-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.session_leader.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.session_leader.parent.code_signature.subject_name: + dashed_name: process-session-leader-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.session_leader.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.session_leader.parent.code_signature.team_id: + dashed_name: process-session-leader-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.session_leader.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.session_leader.parent.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.session_leader.parent.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.session_leader.parent.code_signature.timestamp: + dashed_name: process-session-leader-parent-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.session_leader.parent.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.session_leader.parent.code_signature.trusted: + dashed_name: process-session-leader-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.session_leader.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.session_leader.parent.code_signature.valid: + dashed_name: process-session-leader-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.session_leader.parent.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.session_leader.parent.command_line: + dashed_name: process-session-leader-parent-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.parent.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.parent.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.session_leader.parent.elf.architecture: + dashed_name: process-session-leader-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.session_leader.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.session_leader.parent.elf.byte_order: + dashed_name: process-session-leader-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.session_leader.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.session_leader.parent.elf.cpu_type: + dashed_name: process-session-leader-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.session_leader.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.session_leader.parent.elf.creation_date: + dashed_name: process-session-leader-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.session_leader.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.session_leader.parent.elf.exports: + dashed_name: process-session-leader-parent-elf-exports + description: List of exported element names and types. + flat_name: process.session_leader.parent.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.session_leader.parent.elf.go_import_hash: + dashed_name: process-session-leader-parent-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.session_leader.parent.elf.go_imports: + dashed_name: process-session-leader-parent-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.session_leader.parent.elf.go_imports_names_entropy: + dashed_name: process-session-leader-parent-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.elf.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.elf.go_stripped: + dashed_name: process-session-leader-parent-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.parent.elf.header.abi_version: + dashed_name: process-session-leader-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.session_leader.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.session_leader.parent.elf.header.class: + dashed_name: process-session-leader-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.session_leader.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.session_leader.parent.elf.header.data: + dashed_name: process-session-leader-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.session_leader.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.session_leader.parent.elf.header.entrypoint: + dashed_name: process-session-leader-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.session_leader.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.session_leader.parent.elf.header.object_version: + dashed_name: process-session-leader-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.session_leader.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.session_leader.parent.elf.header.os_abi: + dashed_name: process-session-leader-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.session_leader.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.session_leader.parent.elf.header.type: + dashed_name: process-session-leader-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.session_leader.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.session_leader.parent.elf.header.version: + dashed_name: process-session-leader-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.session_leader.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.session_leader.parent.elf.import_hash: + dashed_name: process-session-leader-parent-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.session_leader.parent.elf.imports: + dashed_name: process-session-leader-parent-elf-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.session_leader.parent.elf.imports_names_entropy: + dashed_name: process-session-leader-parent-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.parent.elf.imports_names_var_entropy: + dashed_name: process-session-leader-parent-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.parent.elf.sections: + dashed_name: process-session-leader-parent-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.session_leader.parent.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.session_leader.parent.elf.sections.chi2: + dashed_name: process-session-leader-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.session_leader.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.session_leader.parent.elf.sections.entropy: + dashed_name: process-session-leader-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.session_leader.parent.elf.sections.flags: + dashed_name: process-session-leader-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.session_leader.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.session_leader.parent.elf.sections.name: + dashed_name: process-session-leader-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.session_leader.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.session_leader.parent.elf.sections.physical_offset: + dashed_name: process-session-leader-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.session_leader.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.session_leader.parent.elf.sections.physical_size: + dashed_name: process-session-leader-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.session_leader.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.session_leader.parent.elf.sections.type: + dashed_name: process-session-leader-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.session_leader.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.session_leader.parent.elf.sections.var_entropy: + dashed_name: process-session-leader-parent-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.parent.elf.sections.virtual_address: + dashed_name: process-session-leader-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.session_leader.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.session_leader.parent.elf.sections.virtual_size: + dashed_name: process-session-leader-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.session_leader.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.session_leader.parent.elf.segments: + dashed_name: process-session-leader-parent-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.session_leader.parent.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.session_leader.parent.elf.segments.sections: + dashed_name: process-session-leader-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.session_leader.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.session_leader.parent.elf.segments.type: + dashed_name: process-session-leader-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.session_leader.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.session_leader.parent.elf.shared_libraries: + dashed_name: process-session-leader-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.session_leader.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.session_leader.parent.elf.telfhash: + dashed_name: process-session-leader-parent-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.session_leader.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.session_leader.parent.end: + dashed_name: process-session-leader-parent-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.session_leader.parent.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.session_leader.parent.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.session_leader.parent.entity_id: + dashed_name: process-session-leader-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.session_leader.parent.entry_meta.source.address: + dashed_name: process-session-leader-parent-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.session_leader.parent.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.session_leader.parent.entry_meta.source.as.number: + dashed_name: process-session-leader-parent-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.session_leader.parent.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.session_leader.parent.entry_meta.source.as.organization.name: + dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.session_leader.parent.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.session_leader.parent.entry_meta.source.bytes: + dashed_name: process-session-leader-parent-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.session_leader.parent.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.session_leader.parent.entry_meta.source.domain: + dashed_name: process-session-leader-parent-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.session_leader.parent.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.session_leader.parent.entry_meta.source.geo.city_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.session_leader.parent.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.session_leader.parent.entry_meta.source.geo.continent_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.session_leader.parent.entry_meta.source.geo.continent_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.session_leader.parent.entry_meta.source.geo.country_iso_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.session_leader.parent.entry_meta.source.geo.country_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.session_leader.parent.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.session_leader.parent.entry_meta.source.geo.location: + dashed_name: process-session-leader-parent-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.session_leader.parent.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.session_leader.parent.entry_meta.source.geo.name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.session_leader.parent.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.session_leader.parent.entry_meta.source.geo.postal_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.session_leader.parent.entry_meta.source.geo.region_iso_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.session_leader.parent.entry_meta.source.geo.region_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.session_leader.parent.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.session_leader.parent.entry_meta.source.geo.timezone: + dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.session_leader.parent.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.session_leader.parent.entry_meta.source.ip: + dashed_name: process-session-leader-parent-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.session_leader.parent.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.session_leader.parent.entry_meta.source.mac: + dashed_name: process-session-leader-parent-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.session_leader.parent.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.session_leader.parent.entry_meta.source.nat.ip: + dashed_name: process-session-leader-parent-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.session_leader.parent.entry_meta.source.nat.port: + dashed_name: process-session-leader-parent-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.session_leader.parent.entry_meta.source.packets: + dashed_name: process-session-leader-parent-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.session_leader.parent.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.session_leader.parent.entry_meta.source.port: + dashed_name: process-session-leader-parent-entry-meta-source-port + description: Port of the source. + flat_name: process.session_leader.parent.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.session_leader.parent.entry_meta.source.registered_domain: + dashed_name: process-session-leader-parent-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.session_leader.parent.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.session_leader.parent.entry_meta.source.subdomain: + dashed_name: process-session-leader-parent-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.session_leader.parent.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.session_leader.parent.entry_meta.source.top_level_domain: + dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.session_leader.parent.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.session_leader.parent.entry_meta.type: + dashed_name: process-session-leader-parent-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.session_leader.parent.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.session_leader.parent.env_vars: + dashed_name: process-session-leader-parent-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.session_leader.parent.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.executable: + dashed_name: process-session-leader-parent-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.parent.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.session_leader.parent.exit_code: + dashed_name: process-session-leader-parent-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.session_leader.parent.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.session_leader.parent.group.domain: + dashed_name: process-session-leader-parent-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.group.id: + dashed_name: process-session-leader-parent-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.group.name: + dashed_name: process-session-leader-parent-group-name + description: Name of the group. + flat_name: process.session_leader.parent.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.session_leader.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.session_leader.parent.hash.md5: + dashed_name: process-session-leader-parent-hash-md5 + description: MD5 hash. + flat_name: process.session_leader.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.session_leader.parent.hash.sha1: + dashed_name: process-session-leader-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.session_leader.parent.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.session_leader.parent.hash.sha256: + dashed_name: process-session-leader-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.session_leader.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.session_leader.parent.hash.sha384: + dashed_name: process-session-leader-parent-hash-sha384 + description: SHA384 hash. + flat_name: process.session_leader.parent.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.session_leader.parent.hash.sha512: + dashed_name: process-session-leader-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.session_leader.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.session_leader.parent.hash.ssdeep: + dashed_name: process-session-leader-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.session_leader.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.session_leader.parent.hash.tlsh: + dashed_name: process-session-leader-parent-hash-tlsh + description: TLSH hash. + flat_name: process.session_leader.parent.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.session_leader.parent.interactive: + dashed_name: process-session-leader-parent-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.session_leader.parent.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.session_leader.parent.io: + dashed_name: process-session-leader-parent-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.session_leader.parent.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.session_leader.parent.io.bytes_skipped: + dashed_name: process-session-leader-parent-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.session_leader.parent.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.session_leader.parent.io.bytes_skipped.length: + dashed_name: process-session-leader-parent-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.session_leader.parent.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.session_leader.parent.io.bytes_skipped.offset: + dashed_name: process-session-leader-parent-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.session_leader.parent.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.session_leader.parent.io.max_bytes_per_process_exceeded: + dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.session_leader.parent.io.text: + dashed_name: process-session-leader-parent-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.session_leader.parent.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.session_leader.parent.io.total_bytes_captured: + dashed_name: process-session-leader-parent-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.session_leader.parent.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.session_leader.parent.io.total_bytes_skipped: + dashed_name: process-session-leader-parent-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.session_leader.parent.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.session_leader.parent.io.type: + dashed_name: process-session-leader-parent-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.session_leader.parent.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.session_leader.parent.macho.go_import_hash: + dashed_name: process-session-leader-parent-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.session_leader.parent.macho.go_imports: + dashed_name: process-session-leader-parent-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.session_leader.parent.macho.go_imports_names_entropy: + dashed_name: process-session-leader-parent-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.macho.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.macho.go_stripped: + dashed_name: process-session-leader-parent-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.parent.macho.import_hash: + dashed_name: process-session-leader-parent-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.session_leader.parent.macho.imports: + dashed_name: process-session-leader-parent-macho-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.session_leader.parent.macho.imports_names_entropy: + dashed_name: process-session-leader-parent-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.parent.macho.imports_names_var_entropy: + dashed_name: process-session-leader-parent-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.parent.macho.sections: + dashed_name: process-session-leader-parent-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.session_leader.parent.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.session_leader.parent.macho.sections.entropy: + dashed_name: process-session-leader-parent-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.session_leader.parent.macho.sections.name: + dashed_name: process-session-leader-parent-macho-sections-name + description: Mach-O Section List name. + flat_name: process.session_leader.parent.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.session_leader.parent.macho.sections.physical_size: + dashed_name: process-session-leader-parent-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.session_leader.parent.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.session_leader.parent.macho.sections.var_entropy: + dashed_name: process-session-leader-parent-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.parent.macho.sections.virtual_size: + dashed_name: process-session-leader-parent-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.session_leader.parent.macho.symhash: + dashed_name: process-session-leader-parent-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.session_leader.parent.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.session_leader.parent.name: + dashed_name: process-session-leader-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.parent.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.session_leader.parent.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.session_leader.parent.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.session_leader.parent.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.session_leader.parent.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.session_leader.parent.pe.architecture: + dashed_name: process-session-leader-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.session_leader.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.session_leader.parent.pe.company: + dashed_name: process-session-leader-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.session_leader.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.session_leader.parent.pe.description: + dashed_name: process-session-leader-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.session_leader.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.session_leader.parent.pe.file_version: + dashed_name: process-session-leader-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.session_leader.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.session_leader.parent.pe.go_import_hash: + dashed_name: process-session-leader-parent-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.session_leader.parent.pe.go_imports: + dashed_name: process-session-leader-parent-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.session_leader.parent.pe.go_imports_names_entropy: + dashed_name: process-session-leader-parent-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.pe.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.pe.go_stripped: + dashed_name: process-session-leader-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.parent.pe.imphash: + dashed_name: process-session-leader-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.session_leader.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.session_leader.parent.pe.import_hash: + dashed_name: process-session-leader-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.session_leader.parent.pe.imports: + dashed_name: process-session-leader-parent-pe-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.session_leader.parent.pe.imports_names_entropy: + dashed_name: process-session-leader-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.parent.pe.imports_names_var_entropy: + dashed_name: process-session-leader-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.parent.pe.original_file_name: + dashed_name: process-session-leader-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.session_leader.parent.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.session_leader.parent.pe.pehash: + dashed_name: process-session-leader-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.session_leader.parent.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.session_leader.parent.pe.product: + dashed_name: process-session-leader-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.session_leader.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.session_leader.parent.pe.sections: + dashed_name: process-session-leader-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.session_leader.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.session_leader.parent.pe.sections.entropy: + dashed_name: process-session-leader-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.session_leader.parent.pe.sections.name: + dashed_name: process-session-leader-parent-pe-sections-name + description: PE Section List name. + flat_name: process.session_leader.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.session_leader.parent.pe.sections.physical_size: + dashed_name: process-session-leader-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.session_leader.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.session_leader.parent.pe.sections.var_entropy: + dashed_name: process-session-leader-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.parent.pe.sections.virtual_size: + dashed_name: process-session-leader-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.session_leader.parent.pid: + dashed_name: process-session-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.session_leader.parent.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.session_leader.parent.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.session_leader.parent.real_group.domain: + dashed_name: process-session-leader-parent-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.real_group.id: + dashed_name: process-session-leader-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.real_group.name: + dashed_name: process-session-leader-parent-real-group-name + description: Name of the group. + flat_name: process.session_leader.parent.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.real_user.domain: + dashed_name: process-session-leader-parent-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.real_user.email: + dashed_name: process-session-leader-parent-real-user-email + description: User email address. + flat_name: process.session_leader.parent.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.real_user.entity.id: + dashed_name: process-session-leader-parent-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.real_user.full_name: + dashed_name: process-session-leader-parent-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.real_user.group.domain: + dashed_name: process-session-leader-parent-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.real_user.group.id: + dashed_name: process-session-leader-parent-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.real_user.group.name: + dashed_name: process-session-leader-parent-real-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.real_user.hash: + dashed_name: process-session-leader-parent-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.real_user.id: + dashed_name: process-session-leader-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.parent.real_user.name: + dashed_name: process-session-leader-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.parent.real_user.risk.calculated_level: + dashed_name: process-session-leader-parent-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.parent.real_user.risk.calculated_score: + dashed_name: process-session-leader-parent-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.real_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.real_user.risk.static_level: + dashed_name: process-session-leader-parent-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.parent.real_user.risk.static_score: + dashed_name: process-session-leader-parent-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.real_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.real_user.roles: + dashed_name: process-session-leader-parent-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.same_as_process: + dashed_name: process-session-leader-parent-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.session_leader.parent.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.session_leader.parent.saved_group.domain: + dashed_name: process-session-leader-parent-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.saved_group.id: + dashed_name: process-session-leader-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.saved_group.name: + dashed_name: process-session-leader-parent-saved-group-name + description: Name of the group. + flat_name: process.session_leader.parent.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.saved_user.domain: + dashed_name: process-session-leader-parent-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.saved_user.email: + dashed_name: process-session-leader-parent-saved-user-email + description: User email address. + flat_name: process.session_leader.parent.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.saved_user.entity.id: + dashed_name: process-session-leader-parent-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.saved_user.full_name: + dashed_name: process-session-leader-parent-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.saved_user.group.domain: + dashed_name: process-session-leader-parent-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.saved_user.group.id: + dashed_name: process-session-leader-parent-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.saved_user.group.name: + dashed_name: process-session-leader-parent-saved-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.saved_user.hash: + dashed_name: process-session-leader-parent-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.saved_user.id: + dashed_name: process-session-leader-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.parent.saved_user.name: + dashed_name: process-session-leader-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.parent.saved_user.risk.calculated_level: + dashed_name: process-session-leader-parent-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.parent.saved_user.risk.calculated_score: + dashed_name: process-session-leader-parent-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.saved_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.saved_user.risk.static_level: + dashed_name: process-session-leader-parent-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.parent.saved_user.risk.static_score: + dashed_name: process-session-leader-parent-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.saved_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.saved_user.roles: + dashed_name: process-session-leader-parent-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.args: + dashed_name: process-session-leader-parent-session-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.parent.session_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.session_leader.parent.session_leader.args_count: + dashed_name: process-session-leader-parent-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.session_leader.parent.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.session_leader.parent.session_leader.attested_groups.domain: + dashed_name: process-session-leader-parent-session-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.attested_groups.id: + dashed_name: process-session-leader-parent-session-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.attested_groups.name: + dashed_name: process-session-leader-parent-session-leader-attested-groups-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.attested_user.domain: + dashed_name: process-session-leader-parent-session-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.session_leader.attested_user.email: + dashed_name: process-session-leader-parent-session-leader-attested-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.session_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.session_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.id: + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.session_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.session_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.session_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.session_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.session_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.session_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.session_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.session_leader.attested_user.full_name: + dashed_name: process-session-leader-parent-session-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.session_leader.attested_user.group.domain: + dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.attested_user.group.id: + dashed_name: process-session-leader-parent-session-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.attested_user.group.name: + dashed_name: process-session-leader-parent-session-leader-attested-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.attested_user.hash: + dashed_name: process-session-leader-parent-session-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.session_leader.attested_user.id: + dashed_name: process-session-leader-parent-session-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.session_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.parent.session_leader.attested_user.name: + dashed_name: process-session-leader-parent-session-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.session_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.parent.session_leader.attested_user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.parent.session_leader.attested_user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.session_leader.attested_user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.parent.session_leader.attested_user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.session_leader.attested_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.session_leader.attested_user.roles: + dashed_name: process-session-leader-parent-session-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.code_signature.digest_algorithm: + dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times by + the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword +process.session_leader.parent.session_leader.code_signature.exists: + dashed_name: process-session-leader-parent-session-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.session_leader.parent.session_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.session_leader.parent.session_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.session_leader.parent.session_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword +process.session_leader.parent.session_leader.code_signature.signing_id: + dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.session_leader.parent.session_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +process.session_leader.parent.session_leader.code_signature.status: + dashed_name: process-session-leader-parent-session-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.session_leader.parent.session_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.session_leader.parent.session_leader.code_signature.subject_name: + dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.session_leader.parent.session_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.session_leader.parent.session_leader.code_signature.team_id: + dashed_name: process-session-leader-parent-session-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.session_leader.parent.session_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +process.session_leader.parent.session_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword +process.session_leader.parent.session_leader.code_signature.timestamp: + dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.session_leader.parent.session_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date +process.session_leader.parent.session_leader.code_signature.trusted: + dashed_name: process-session-leader-parent-session-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.session_leader.parent.session_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.session_leader.parent.session_leader.code_signature.valid: + dashed_name: process-session-leader-parent-session-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.session_leader.parent.session_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.session_leader.parent.session_leader.command_line: + dashed_name: process-session-leader-parent-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.parent.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.session_leader.parent.session_leader.elf.architecture: + dashed_name: process-session-leader-parent-session-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.session_leader.parent.session_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.byte_order: + dashed_name: process-session-leader-parent-session-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.session_leader.parent.session_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.cpu_type: + dashed_name: process-session-leader-parent-session-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.session_leader.parent.session_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.creation_date: + dashed_name: process-session-leader-parent-session-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.session_leader.parent.session_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.session_leader.parent.session_leader.elf.exports: + dashed_name: process-session-leader-parent-session-leader-elf-exports + description: List of exported element names and types. + flat_name: process.session_leader.parent.session_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.session_leader.parent.session_leader.elf.go_import_hash: + dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.session_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.go_imports: + dashed_name: process-session-leader-parent-session-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.session_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened +process.session_leader.parent.session_leader.elf.go_imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.session_leader.elf.go_stripped: + dashed_name: process-session-leader-parent-session-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.session_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.parent.session_leader.elf.header.abi_version: + dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.session_leader.parent.session_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.session_leader.parent.session_leader.elf.header.class: + dashed_name: process-session-leader-parent-session-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.session_leader.parent.session_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.header.data: + dashed_name: process-session-leader-parent-session-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.session_leader.parent.session_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.session_leader.parent.session_leader.elf.header.entrypoint: + dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.session_leader.parent.session_leader.elf.header.object_version: + dashed_name: process-session-leader-parent-session-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.session_leader.parent.session_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.session_leader.parent.session_leader.elf.header.os_abi: + dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.session_leader.parent.session_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.session_leader.parent.session_leader.elf.header.type: + dashed_name: process-session-leader-parent-session-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.session_leader.parent.session_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.header.version: + dashed_name: process-session-leader-parent-session-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.session_leader.parent.session_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.session_leader.parent.session_leader.elf.import_hash: + dashed_name: process-session-leader-parent-session-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.session_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword +process.session_leader.parent.session_leader.elf.imports: + dashed_name: process-session-leader-parent-session-leader-elf-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.session_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.session_leader.parent.session_leader.elf.imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.parent.session_leader.elf.imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.parent.session_leader.elf.sections: + dashed_name: process-session-leader-parent-session-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.session_leader.parent.session_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.session_leader.parent.session_leader.elf.sections.chi2: + dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.session_leader.parent.session_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.session_leader.parent.session_leader.elf.sections.entropy: + dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.session_leader.parent.session_leader.elf.sections.flags: + dashed_name: process-session-leader-parent-session-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.session_leader.parent.session_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.session_leader.parent.session_leader.elf.sections.name: + dashed_name: process-session-leader-parent-session-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.session_leader.parent.session_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.session_leader.parent.session_leader.elf.sections.physical_offset: + dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.session_leader.parent.session_leader.elf.sections.physical_size: + dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.session_leader.parent.session_leader.elf.sections.type: + dashed_name: process-session-leader-parent-session-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.session_leader.parent.session_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.session_leader.parent.session_leader.elf.sections.var_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.parent.session_leader.elf.sections.virtual_address: + dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.session_leader.parent.session_leader.elf.sections.virtual_size: + dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.session_leader.parent.session_leader.elf.segments: + dashed_name: process-session-leader-parent-session-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.session_leader.parent.session_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.session_leader.parent.session_leader.elf.segments.sections: + dashed_name: process-session-leader-parent-session-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.session_leader.parent.session_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.session_leader.parent.session_leader.elf.segments.type: + dashed_name: process-session-leader-parent-session-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.session_leader.parent.session_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.session_leader.parent.session_leader.elf.shared_libraries: + dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.session_leader.parent.session_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.session_leader.parent.session_leader.elf.telfhash: + dashed_name: process-session-leader-parent-session-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.session_leader.parent.session_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +process.session_leader.parent.session_leader.end: + dashed_name: process-session-leader-parent-session-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.session_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date +process.session_leader.parent.session_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.session_leader.parent.session_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean +process.session_leader.parent.session_leader.entity_id: + dashed_name: process-session-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.address: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.as.number: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +process.session_leader.parent.session_leader.entry_meta.source.as.organization.name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.bytes: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long +process.session_leader.parent.session_leader.entry_meta.source.domain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from enrichment.' + example: foo.example.com + flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.city_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.country_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.location: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +process.session_leader.parent.session_leader.entry_meta.source.geo.name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.region_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.geo.timezone: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.ip: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.session_leader.parent.session_leader.entry_meta.source.mac: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.nat.ip: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip +process.session_leader.parent.session_leader.entry_meta.source.nat.port: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long +process.session_leader.parent.session_leader.entry_meta.source.packets: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long +process.session_leader.parent.session_leader.entry_meta.source.port: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.session_leader.parent.session_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long +process.session_leader.parent.session_leader.entry_meta.source.registered_domain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.subdomain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword +process.session_leader.parent.session_leader.entry_meta.source.top_level_domain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (https://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword +process.session_leader.parent.session_leader.entry_meta.type: + dashed_name: process-session-leader-parent-session-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.session_leader.parent.session_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.session_leader.parent.session_leader.env_vars: + dashed_name: process-session-leader-parent-session-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.session_leader.parent.session_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.executable: + dashed_name: process-session-leader-parent-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.parent.session_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword +process.session_leader.parent.session_leader.exit_code: + dashed_name: process-session-leader-parent-session-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.session_leader.parent.session_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.session_leader.parent.session_leader.group.domain: + dashed_name: process-session-leader-parent-session-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.group.id: + dashed_name: process-session-leader-parent-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.group.name: + dashed_name: process-session-leader-parent-session-leader-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.session_leader.parent.session_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword +process.session_leader.parent.session_leader.hash.md5: + dashed_name: process-session-leader-parent-session-leader-hash-md5 + description: MD5 hash. + flat_name: process.session_leader.parent.session_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.session_leader.parent.session_leader.hash.sha1: + dashed_name: process-session-leader-parent-session-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.session_leader.parent.session_leader.hash.sha256: + dashed_name: process-session-leader-parent-session-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.session_leader.parent.session_leader.hash.sha384: + dashed_name: process-session-leader-parent-session-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword +process.session_leader.parent.session_leader.hash.sha512: + dashed_name: process-session-leader-parent-session-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.session_leader.parent.session_leader.hash.ssdeep: + dashed_name: process-session-leader-parent-session-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.session_leader.parent.session_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +process.session_leader.parent.session_leader.hash.tlsh: + dashed_name: process-session-leader-parent-session-leader-hash-tlsh + description: TLSH hash. + flat_name: process.session_leader.parent.session_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword +process.session_leader.parent.session_leader.interactive: + dashed_name: process-session-leader-parent-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.session_leader.parent.session_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.session_leader.parent.session_leader.io: + dashed_name: process-session-leader-parent-session-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.session_leader.parent.session_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object +process.session_leader.parent.session_leader.io.bytes_skipped: + dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has been + skipped. + flat_name: process.session_leader.parent.session_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been skipped. + type: object +process.session_leader.parent.session_leader.io.bytes_skipped.length: + dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long +process.session_leader.parent.session_leader.io.bytes_skipped.offset: + dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) where + length bytes were skipped. + type: long +process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean +process.session_leader.parent.session_leader.io.text: + dashed_name: process-session-leader-parent-session-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. Assumptions + should NOT be made that multiple lines will appear in the same event. TTY output + may contain terminal control codes such as for cursor movement, so some string + queries may not match due to terminal codes inserted between characters of a word.' + flat_name: process.session_leader.parent.session_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard +process.session_leader.parent.session_leader.io.total_bytes_captured: + dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long +process.session_leader.parent.session_leader.io.total_bytes_skipped: + dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation restrictions + such as buffer size limits. + type: long +process.session_leader.parent.session_leader.io.type: + dashed_name: process-session-leader-parent-session-leader-io-type + description: 'The type of object on which the IO action (read or write) was taken. + + Currently only ''tty'' is supported. Other types may be added in the future for + ''file'' and ''socket'' support.' + flat_name: process.session_leader.parent.session_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword +process.session_leader.parent.session_leader.macho.go_import_hash: + dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.session_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword +process.session_leader.parent.session_leader.macho.go_imports: + dashed_name: process-session-leader-parent-session-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.session_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened +process.session_leader.parent.session_leader.macho.go_imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.session_leader.macho.go_stripped: + dashed_name: process-session-leader-parent-session-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.session_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.parent.session_leader.macho.import_hash: + dashed_name: process-session-leader-parent-session-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.session_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.session_leader.parent.session_leader.macho.imports: + dashed_name: process-session-leader-parent-session-leader-macho-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.session_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened +process.session_leader.parent.session_leader.macho.imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.parent.session_leader.macho.imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.parent.session_leader.macho.sections: + dashed_name: process-session-leader-parent-session-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields underneath + `macho.sections.*`.' + flat_name: process.session_leader.parent.session_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested +process.session_leader.parent.session_leader.macho.sections.entropy: + dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long +process.session_leader.parent.session_leader.macho.sections.name: + dashed_name: process-session-leader-parent-session-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.session_leader.parent.session_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword +process.session_leader.parent.session_leader.macho.sections.physical_size: + dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long +process.session_leader.parent.session_leader.macho.sections.var_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.parent.session_leader.macho.sections.virtual_size: + dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long +process.session_leader.parent.session_leader.macho.symhash: + dashed_name: process-session-leader-parent-session-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.session_leader.parent.session_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword +process.session_leader.parent.session_leader.name: + dashed_name: process-session-leader-parent-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.parent.session_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword +process.session_leader.parent.session_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.session_leader.parent.session_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.session_leader.parent.session_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.session_leader.parent.session_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword +process.session_leader.parent.session_leader.pe.architecture: + dashed_name: process-session-leader-parent-session-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.session_leader.parent.session_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.session_leader.parent.session_leader.pe.company: + dashed_name: process-session-leader-parent-session-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.session_leader.parent.session_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.session_leader.parent.session_leader.pe.description: + dashed_name: process-session-leader-parent-session-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.session_leader.parent.session_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.session_leader.parent.session_leader.pe.file_version: + dashed_name: process-session-leader-parent-session-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.session_leader.parent.session_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.session_leader.parent.session_leader.pe.go_import_hash: + dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would change + more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.session_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword +process.session_leader.parent.session_leader.pe.go_imports: + dashed_name: process-session-leader-parent-session-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.session_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened +process.session_leader.parent.session_leader.pe.go_imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long +process.session_leader.parent.session_leader.pe.go_stripped: + dashed_name: process-session-leader-parent-session-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.session_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.session_leader.parent.session_leader.pe.imphash: + dashed_name: process-session-leader-parent-session-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.session_leader.parent.session_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.session_leader.parent.session_leader.pe.import_hash: + dashed_name: process-session-leader-parent-session-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.session_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.session_leader.parent.session_leader.pe.imports: + dashed_name: process-session-leader-parent-session-leader-pe-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.session_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.session_leader.parent.session_leader.pe.imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.session_leader.parent.session_leader.pe.imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.session_leader.parent.session_leader.pe.original_file_name: + dashed_name: process-session-leader-parent-session-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.session_leader.parent.session_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.session_leader.parent.session_leader.pe.pehash: + dashed_name: process-session-leader-parent-session-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.session_leader.parent.session_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword +process.session_leader.parent.session_leader.pe.product: + dashed_name: process-session-leader-parent-session-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.session_leader.parent.session_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.session_leader.parent.session_leader.pe.sections: + dashed_name: process-session-leader-parent-session-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.session_leader.parent.session_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.session_leader.parent.session_leader.pe.sections.entropy: + dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.session_leader.parent.session_leader.pe.sections.name: + dashed_name: process-session-leader-parent-session-leader-pe-sections-name + description: PE Section List name. + flat_name: process.session_leader.parent.session_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword +process.session_leader.parent.session_leader.pe.sections.physical_size: + dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.session_leader.parent.session_leader.pe.sections.var_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.session_leader.parent.session_leader.pe.sections.virtual_size: + dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.session_leader.parent.session_leader.pid: + dashed_name: process-session-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.session_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.session_leader.parent.session_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.session_leader.parent.session_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.session_leader.parent.session_leader.real_group.domain: + dashed_name: process-session-leader-parent-session-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.real_group.id: + dashed_name: process-session-leader-parent-session-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.real_group.name: + dashed_name: process-session-leader-parent-session-leader-real-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.real_user.domain: + dashed_name: process-session-leader-parent-session-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.session_leader.real_user.email: + dashed_name: process-session-leader-parent-session-leader-real-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.session_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.session_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.id: + dashed_name: process-session-leader-parent-session-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.session_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.session_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.session_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.session_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.session_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.session_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.session_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.session_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.session_leader.real_user.full_name: + dashed_name: process-session-leader-parent-session-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.session_leader.real_user.group.domain: + dashed_name: process-session-leader-parent-session-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.real_user.group.id: + dashed_name: process-session-leader-parent-session-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.real_user.group.name: + dashed_name: process-session-leader-parent-session-leader-real-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.real_user.hash: + dashed_name: process-session-leader-parent-session-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.session_leader.real_user.id: + dashed_name: process-session-leader-parent-session-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.session_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.parent.session_leader.real_user.name: + dashed_name: process-session-leader-parent-session-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.session_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.parent.session_leader.real_user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.parent.session_leader.real_user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.session_leader.real_user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.parent.session_leader.real_user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.session_leader.real_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.session_leader.real_user.roles: + dashed_name: process-session-leader-parent-session-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.same_as_process: + dashed_name: process-session-leader-parent-session-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.session_leader.parent.session_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.session_leader.parent.session_leader.saved_group.domain: + dashed_name: process-session-leader-parent-session-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.saved_group.id: + dashed_name: process-session-leader-parent-session-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.saved_group.name: + dashed_name: process-session-leader-parent-session-leader-saved-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.saved_user.domain: + dashed_name: process-session-leader-parent-session-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.session_leader.saved_user.email: + dashed_name: process-session-leader-parent-session-leader-saved-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.session_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.session_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.id: + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.session_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.session_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.session_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.session_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.session_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.session_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.session_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.session_leader.saved_user.full_name: + dashed_name: process-session-leader-parent-session-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.saved_user.full_name ignore_above: 1024 level: extended - name: cdhash + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. + original_fieldset: user + short: User's full name, if available. type: keyword -process.parent.hash.md5: - dashed_name: process-parent-hash-md5 - description: MD5 hash. - flat_name: process.parent.hash.md5 +process.session_leader.parent.session_leader.saved_user.group.domain: + dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.saved_user.group.domain ignore_above: 1024 level: extended - name: md5 + name: domain normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword -process.parent.hash.sha1: - dashed_name: process-parent-hash-sha1 - description: SHA1 hash. - flat_name: process.parent.hash.sha1 +process.session_leader.parent.session_leader.saved_user.group.id: + dashed_name: process-session-leader-parent-session-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.saved_user.group.id ignore_above: 1024 level: extended - name: sha1 + name: id normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.parent.hash.sha256: - dashed_name: process-parent-hash-sha256 - description: SHA256 hash. - flat_name: process.parent.hash.sha256 +process.session_leader.parent.session_leader.saved_user.group.name: + dashed_name: process-session-leader-parent-session-leader-saved-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.saved_user.group.name ignore_above: 1024 level: extended - name: sha256 + name: name normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: group + short: Name of the group. type: keyword -process.parent.hash.sha384: - dashed_name: process-parent-hash-sha384 - description: SHA384 hash. - flat_name: process.parent.hash.sha384 +process.session_leader.parent.session_leader.saved_user.hash: + dashed_name: process-session-leader-parent-session-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.saved_user.hash ignore_above: 1024 level: extended - name: sha384 + name: hash normalize: [] - original_fieldset: hash - short: SHA384 hash. + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. type: keyword -process.parent.hash.sha512: - dashed_name: process-parent-hash-sha512 - description: SHA512 hash. - flat_name: process.parent.hash.sha512 +process.session_leader.parent.session_leader.saved_user.id: + dashed_name: process-session-leader-parent-session-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.session_leader.saved_user.id ignore_above: 1024 - level: extended - name: sha512 + level: core + name: id normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: user + short: Unique identifier of the user. type: keyword -process.parent.hash.ssdeep: - dashed_name: process-parent-hash-ssdeep - description: SSDEEP hash. - flat_name: process.parent.hash.ssdeep +process.session_leader.parent.session_leader.saved_user.name: + dashed_name: process-session-leader-parent-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.session_leader.saved_user.name ignore_above: 1024 - level: extended - name: ssdeep + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: user + short: Short name or login of the user. type: keyword -process.parent.hash.tlsh: - dashed_name: process-parent-hash-tlsh - description: TLSH hash. - flat_name: process.parent.hash.tlsh +process.session_leader.parent.session_leader.saved_user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level ignore_above: 1024 level: extended - name: tlsh + name: calculated_level normalize: [] - original_fieldset: hash - short: TLSH hash. + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. type: keyword -process.parent.interactive: - dashed_name: process-parent-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.parent.interactive +process.session_leader.parent.session_leader.saved_user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score level: extended - name: interactive + name: calculated_score normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.parent.macho.go_import_hash: - dashed_name: process-parent-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.macho.go_import_hash + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.session_leader.saved_user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level ignore_above: 1024 level: extended - name: go_import_hash + name: static_level normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. type: keyword -process.parent.macho.go_imports: - dashed_name: process-parent-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.macho.go_imports +process.session_leader.parent.session_leader.saved_user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score level: extended - name: go_imports + name: static_score normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.parent.macho.go_imports_names_entropy: - dashed_name: process-parent-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_entropy - format: number + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.session_leader.saved_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm level: extended - name: go_imports_names_entropy + name: static_score_norm normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.macho.go_imports_names_var_entropy: - dashed_name: process-parent-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_var_entropy - format: number + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.session_leader.saved_user.roles: + dashed_name: process-session-leader-parent-session-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.saved_user.roles + ignore_above: 1024 level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.macho.go_stripped: - dashed_name: process-parent-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.macho.go_stripped + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.start: + dashed_name: process-session-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.session_leader.start level: extended - name: go_stripped + name: start normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.macho.import_hash: - dashed_name: process-parent-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. + original_fieldset: process + short: The time the process started. + type: date +process.session_leader.parent.session_leader.supplemental_groups.domain: + dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.macho.import_hash + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain ignore_above: 1024 level: extended - name: import_hash + name: domain normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword -process.parent.macho.imports: - dashed_name: process-parent-macho-imports - description: List of imported element names and types. - flat_name: process.parent.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.parent.macho.imports_names_entropy: - dashed_name: process-parent-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.macho.imports_names_entropy - format: number +process.session_leader.parent.session_leader.supplemental_groups.id: + dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.supplemental_groups.id + ignore_above: 1024 level: extended - name: imports_names_entropy + name: id normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.macho.imports_names_var_entropy: - dashed_name: process-parent-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.macho.imports_names_var_entropy - format: number + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.session_leader.supplemental_groups.name: + dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.supplemental_groups.name + ignore_above: 1024 level: extended - name: imports_names_var_entropy + name: name normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.macho.sections: - dashed_name: process-parent-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.parent.macho.sections + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.session_leader.thread.capabilities.effective: + dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective + ignore_above: 1024 level: extended - name: sections + name: thread.capabilities.effective normalize: - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.parent.macho.sections.entropy: - dashed_name: process-parent-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.parent.macho.sections.name: - dashed_name: process-parent-macho-sections-name - description: Mach-O Section List name. - flat_name: process.parent.macho.sections.name + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.thread.capabilities.permitted: + dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted ignore_above: 1024 level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none type: keyword -process.parent.macho.sections.physical_size: - dashed_name: process-parent-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.parent.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.parent.macho.sections.var_entropy: - dashed_name: process-parent-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.macho.sections.virtual_size: - dashed_name: process-parent-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.macho.sections.virtual_size +process.session_leader.parent.session_leader.thread.id: + dashed_name: process-session-leader-parent-session-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.session_leader.parent.session_leader.thread.id format: string level: extended - name: sections.virtual_size + name: thread.id normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. + original_fieldset: process + short: Thread ID. type: long -process.parent.macho.symhash: - dashed_name: process-parent-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.parent.macho.symhash +process.session_leader.parent.session_leader.thread.name: + dashed_name: process-session-leader-parent-session-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.session_leader.parent.session_leader.thread.name ignore_above: 1024 level: extended - name: symhash + name: thread.name normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. + original_fieldset: process + short: Thread name. type: keyword -process.parent.name: - dashed_name: process-parent-name - description: 'Process name. +process.session_leader.parent.session_leader.title: + dashed_name: process-session-leader-parent-session-leader-title + description: 'Process title. - Sometimes called program name or similar.' - example: ssh - flat_name: process.parent.name + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.session_leader.parent.session_leader.title ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.name.text + - flat_name: process.session_leader.parent.session_leader.title.text name: text type: match_only_text - name: name + name: title normalize: [] original_fieldset: process - short: Process name. - type: keyword -process.parent.pe.architecture: - dashed_name: process-parent-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.parent.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + short: Process title. type: keyword -process.parent.pe.company: - dashed_name: process-parent-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.parent.pe.company - ignore_above: 1024 +process.session_leader.parent.session_leader.tty: + dashed_name: process-session-leader-parent-session-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.session_leader.parent.session_leader.tty level: extended - name: company + name: tty normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.parent.pe.description: - dashed_name: process-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.pe.description - ignore_above: 1024 + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.session_leader.parent.session_leader.tty.char_device.major: + dashed_name: process-session-leader-parent-session-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.session_leader.parent.session_leader.tty.char_device.major level: extended - name: description + name: tty.char_device.major normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.parent.pe.file_version: - dashed_name: process-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.pe.file_version - ignore_above: 1024 + original_fieldset: process + short: The TTY character device's major number. + type: long +process.session_leader.parent.session_leader.tty.char_device.minor: + dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.session_leader.parent.session_leader.tty.char_device.minor level: extended - name: file_version + name: tty.char_device.minor normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.parent.pe.go_import_hash: - dashed_name: process-parent-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.session_leader.parent.session_leader.tty.columns: + dashed_name: process-session-leader-parent-session-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.parent.pe.go_imports: - dashed_name: process-parent-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.parent.pe.go_imports_names_entropy: - dashed_name: process-parent-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_entropy - format: number + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.session_leader.parent.session_leader.tty.columns level: extended - name: go_imports_names_entropy + name: tty.columns normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. + original_fieldset: process + short: The number of character columns per line. e.g terminal width type: long -process.parent.pe.go_imports_names_var_entropy: - dashed_name: process-parent-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_var_entropy - format: number +process.session_leader.parent.session_leader.tty.rows: + dashed_name: process-session-leader-parent-session-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.session_leader.parent.session_leader.tty.rows level: extended - name: go_imports_names_var_entropy + name: tty.rows normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height type: long -process.parent.pe.go_stripped: - dashed_name: process-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.pe.go_stripped +process.session_leader.parent.session_leader.uptime: + dashed_name: process-session-leader-parent-session-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.session_leader.parent.session_leader.uptime level: extended - name: go_stripped + name: uptime normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.pe.imphash: - dashed_name: process-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + original_fieldset: process + short: Seconds the process has been up. + type: long +process.session_leader.parent.session_leader.user.domain: + dashed_name: process-session-leader-parent-session-leader-user-domain + description: 'Name of the directory the user is a member of. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.pe.imphash + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.user.domain ignore_above: 1024 level: extended - name: imphash + name: domain normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: user + short: Name of the directory the user is a member of. type: keyword -process.parent.pe.import_hash: - dashed_name: process-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.pe.import_hash +process.session_leader.parent.session_leader.user.email: + dashed_name: process-session-leader-parent-session-leader-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.user.email ignore_above: 1024 level: extended - name: import_hash + name: email normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: user + short: User email address. type: keyword -process.parent.pe.imports: - dashed_name: process-parent-pe-imports - description: List of imported element names and types. - flat_name: process.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.parent.pe.imports_names_entropy: - dashed_name: process-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.pe.imports_names_entropy - format: number +process.session_leader.parent.session_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.user.entity.attributes level: extended - name: imports_names_entropy + name: attributes normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.pe.imports_names_var_entropy: - dashed_name: process-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.pe.imports_names_var_entropy - format: number + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.session_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.user.entity.behavior level: extended - name: imports_names_var_entropy + name: behavior normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.pe.original_file_name: - dashed_name: process-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.parent.pe.original_file_name + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.session_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.user.entity.display_name ignore_above: 1024 level: extended - name: original_file_name + multi_fields: + - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword -process.parent.pe.pehash: - dashed_name: process-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.parent.pe.pehash +process.session_leader.parent.session_leader.user.entity.id: + dashed_name: process-session-leader-parent-session-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.session_leader.user.entity.id ignore_above: 1024 - level: extended - name: pehash + level: core + name: id normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. + original_fieldset: entity + short: Unique identifier for the entity. type: keyword -process.parent.pe.product: - dashed_name: process-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.parent.pe.product - ignore_above: 1024 +process.session_leader.parent.session_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp level: extended - name: product + name: last_seen_timestamp normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.parent.pe.sections: - dashed_name: process-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.parent.pe.sections + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.session_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.parent.pe.sections.entropy: - dashed_name: process-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.entropy - format: number + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.session_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.user.entity.metrics level: extended - name: sections.entropy + name: metrics normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.parent.pe.sections.name: - dashed_name: process-parent-pe-sections-name - description: PE Section List name. - flat_name: process.parent.pe.sections.name + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.session_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.user.entity.name ignore_above: 1024 - level: extended - name: sections.name + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.user.entity.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: pe - short: PE Section List name. + original_fieldset: entity + short: The name of the entity. type: keyword -process.parent.pe.sections.physical_size: - dashed_name: process-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.parent.pe.sections.physical_size - format: bytes +process.session_leader.parent.session_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.session_leader.user.entity.raw level: extended - name: sections.physical_size + name: raw normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.parent.pe.sections.var_entropy: - dashed_name: process-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.var_entropy - format: number + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.session_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.user.entity.reference + ignore_above: 1024 level: extended - name: sections.var_entropy + name: reference normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.pe.sections.virtual_size: - dashed_name: process-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.pe.sections.virtual_size - format: string + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.session_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.session_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.session_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.user.entity.sub_type + ignore_above: 1024 level: extended - name: sections.virtual_size + name: sub_type normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.parent.pid: - dashed_name: process-parent-pid - description: Process id. - example: 4242 - flat_name: process.parent.pid - format: string + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.session_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.user.entity.type + ignore_above: 1024 level: core - name: pid + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.session_leader.user.full_name: + dashed_name: process-session-leader-parent-session-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: process - short: Process id. - type: long -process.parent.real_group.id: - dashed_name: process-parent-real-group-id + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.session_leader.user.group.domain: + dashed_name: process-session-leader-parent-session-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.session_leader.user.group.id: + dashed_name: process-session-leader-parent-session-leader-user-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.parent.real_group.id + flat_name: process.session_leader.parent.session_leader.user.group.id ignore_above: 1024 level: extended name: id @@ -13420,10 +56462,10 @@ process.parent.real_group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.parent.real_group.name: - dashed_name: process-parent-real-group-name +process.session_leader.parent.session_leader.user.group.name: + dashed_name: process-session-leader-parent-session-leader-user-group-name description: Name of the group. - flat_name: process.parent.real_group.name + flat_name: process.session_leader.parent.session_leader.user.group.name ignore_above: 1024 level: extended name: name @@ -13431,11 +56473,26 @@ process.parent.real_group.name: original_fieldset: group short: Name of the group. type: keyword -process.parent.real_user.id: - dashed_name: process-parent-real-user-id +process.session_leader.parent.session_leader.user.hash: + dashed_name: process-session-leader-parent-session-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.session_leader.user.id: + dashed_name: process-session-leader-parent-session-leader-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.real_user.id + flat_name: process.session_leader.parent.session_leader.user.id ignore_above: 1024 level: core name: id @@ -13443,15 +56500,15 @@ process.parent.real_user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.parent.real_user.name: - dashed_name: process-parent-real-user-name +process.session_leader.parent.session_leader.user.name: + dashed_name: process-session-leader-parent-session-leader-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.parent.real_user.name + flat_name: process.session_leader.parent.session_leader.user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.parent.real_user.name.text + - flat_name: process.session_leader.parent.session_leader.user.name.text name: text type: match_only_text name: name @@ -13459,71 +56516,160 @@ process.parent.real_user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.parent.saved_group.id: - dashed_name: process-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.saved_group.id +process.session_leader.parent.session_leader.user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level ignore_above: 1024 level: extended - name: id + name: calculated_level normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. type: keyword -process.parent.saved_group.name: - dashed_name: process-parent-saved-group-name - description: Name of the group. - flat_name: process.parent.saved_group.name +process.session_leader.parent.session_leader.user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.session_leader.user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.session_leader.user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.user.risk.static_level ignore_above: 1024 level: extended - name: name + name: static_level normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. type: keyword -process.parent.saved_user.id: - dashed_name: process-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.saved_user.id +process.session_leader.parent.session_leader.user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.session_leader.user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.session_leader.user.roles: + dashed_name: process-session-leader-parent-session-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.user.roles ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.session_leader.vpid: + dashed_name: process-session-leader-parent-session-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.session_leader.parent.session_leader.vpid + format: string level: core - name: id + name: vpid normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.saved_user.name: - dashed_name: process-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.saved_user.name + original_fieldset: process + short: Virtual process id. + type: long +process.session_leader.parent.session_leader.working_directory: + dashed_name: process-session-leader-parent-session-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.session_leader.parent.session_leader.working_directory ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.parent.saved_user.name.text + - flat_name: process.session_leader.parent.session_leader.working_directory.text name: text type: match_only_text - name: name + name: working_directory normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: process + short: The working directory of the process. type: keyword -process.parent.start: - dashed_name: process-parent-start +process.session_leader.parent.start: + dashed_name: process-session-leader-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.start + flat_name: process.session_leader.parent.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date -process.parent.supplemental_groups.id: - dashed_name: process-parent-supplemental-groups-id +process.session_leader.parent.supplemental_groups.domain: + dashed_name: process-session-leader-parent-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.supplemental_groups.id: + dashed_name: process-session-leader-parent-supplemental-groups-id description: Unique identifier for the group on the system/platform. - flat_name: process.parent.supplemental_groups.id + flat_name: process.session_leader.parent.supplemental_groups.id ignore_above: 1024 level: extended name: id @@ -13531,10 +56677,10 @@ process.parent.supplemental_groups.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.parent.supplemental_groups.name: - dashed_name: process-parent-supplemental-groups-name +process.session_leader.parent.supplemental_groups.name: + dashed_name: process-session-leader-parent-supplemental-groups-name description: Name of the group. - flat_name: process.parent.supplemental_groups.name + flat_name: process.session_leader.parent.supplemental_groups.name ignore_above: 1024 level: extended name: name @@ -13542,12 +56688,12 @@ process.parent.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword -process.parent.thread.capabilities.effective: - dashed_name: process-parent-thread-capabilities-effective +process.session_leader.parent.thread.capabilities.effective: + dashed_name: process-session-leader-parent-thread-capabilities-effective description: This is the set of capabilities used by the kernel to perform permission checks for the thread. example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.effective + flat_name: process.session_leader.parent.thread.capabilities.effective ignore_above: 1024 level: extended name: thread.capabilities.effective @@ -13558,12 +56704,12 @@ process.parent.thread.capabilities.effective: short: Array of capabilities used for permission checks. synthetic_source_keep: none type: keyword -process.parent.thread.capabilities.permitted: - dashed_name: process-parent-thread-capabilities-permitted +process.session_leader.parent.thread.capabilities.permitted: + dashed_name: process-session-leader-parent-thread-capabilities-permitted description: This is a limiting superset for the effective capabilities that the thread may assume. example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.permitted + flat_name: process.session_leader.parent.thread.capabilities.permitted ignore_above: 1024 level: extended name: thread.capabilities.permitted @@ -13574,11 +56720,11 @@ process.parent.thread.capabilities.permitted: short: Array of capabilities a thread could assume. synthetic_source_keep: none type: keyword -process.parent.thread.id: - dashed_name: process-parent-thread-id +process.session_leader.parent.thread.id: + dashed_name: process-session-leader-parent-thread-id description: Thread ID. example: 4242 - flat_name: process.parent.thread.id + flat_name: process.session_leader.parent.thread.id format: string level: extended name: thread.id @@ -13586,11 +56732,11 @@ process.parent.thread.id: original_fieldset: process short: Thread ID. type: long -process.parent.thread.name: - dashed_name: process-parent-thread-name +process.session_leader.parent.thread.name: + dashed_name: process-session-leader-parent-thread-name description: Thread name. example: thread-0 - flat_name: process.parent.thread.name + flat_name: process.session_leader.parent.thread.name ignore_above: 1024 level: extended name: thread.name @@ -13598,17 +56744,17 @@ process.parent.thread.name: original_fieldset: process short: Thread name. type: keyword -process.parent.title: - dashed_name: process-parent-title +process.session_leader.parent.title: + dashed_name: process-session-leader-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - flat_name: process.parent.title + flat_name: process.session_leader.parent.title ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.title.text + - flat_name: process.session_leader.parent.title.text name: text type: match_only_text name: title @@ -13616,61 +56762,436 @@ process.parent.title: original_fieldset: process short: Process title. type: keyword -process.parent.tty: - dashed_name: process-parent-tty +process.session_leader.parent.tty: + dashed_name: process-session-leader-parent-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. - flat_name: process.parent.tty + flat_name: process.session_leader.parent.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object -process.parent.tty.char_device.major: - dashed_name: process-parent-tty-char-device-major +process.session_leader.parent.tty.char_device.major: + dashed_name: process-session-leader-parent-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 - flat_name: process.parent.tty.char_device.major + flat_name: process.session_leader.parent.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long -process.parent.tty.char_device.minor: - dashed_name: process-parent-tty-char-device-minor +process.session_leader.parent.tty.char_device.minor: + dashed_name: process-session-leader-parent-tty-char-device-minor description: The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. example: 1 - flat_name: process.parent.tty.char_device.minor + flat_name: process.session_leader.parent.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long -process.parent.uptime: - dashed_name: process-parent-uptime +process.session_leader.parent.tty.columns: + dashed_name: process-session-leader-parent-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.session_leader.parent.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.session_leader.parent.tty.rows: + dashed_name: process-session-leader-parent-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.session_leader.parent.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.session_leader.parent.uptime: + dashed_name: process-session-leader-parent-uptime description: Seconds the process has been up. example: 1325 - flat_name: process.parent.uptime + flat_name: process.session_leader.parent.uptime level: extended name: uptime normalize: [] original_fieldset: process short: Seconds the process has been up. type: long -process.parent.user.id: - dashed_name: process-parent-user-id +process.session_leader.parent.user.domain: + dashed_name: process-session-leader-parent-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.parent.user.email: + dashed_name: process-session-leader-parent-user-email + description: User email address. + flat_name: process.session_leader.parent.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.parent.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.parent.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.parent.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.parent.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.parent.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.parent.user.entity.id: + dashed_name: process-session-leader-parent-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.parent.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.parent.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.parent.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.parent.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.parent.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.parent.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.parent.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.parent.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.parent.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.parent.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.parent.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.parent.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.parent.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.parent.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.parent.user.full_name: + dashed_name: process-session-leader-parent-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.parent.user.group.domain: + dashed_name: process-session-leader-parent-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.parent.user.group.id: + dashed_name: process-session-leader-parent-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.parent.user.group.name: + dashed_name: process-session-leader-parent-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.parent.user.hash: + dashed_name: process-session-leader-parent-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +process.session_leader.parent.user.id: + dashed_name: process-session-leader-parent-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.user.id + flat_name: process.session_leader.parent.user.id ignore_above: 1024 level: core name: id @@ -13678,15 +57199,15 @@ process.parent.user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.parent.user.name: - dashed_name: process-parent-user-name +process.session_leader.parent.user.name: + dashed_name: process-session-leader-parent-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.parent.user.name + flat_name: process.session_leader.parent.user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.parent.user.name.text + - flat_name: process.session_leader.parent.user.name.text name: text type: match_only_text name: name @@ -13694,15 +57215,109 @@ process.parent.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.parent.vpid: - dashed_name: process-parent-vpid +process.session_leader.parent.user.risk.calculated_level: + dashed_name: process-session-leader-parent-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.parent.user.risk.calculated_score: + dashed_name: process-session-leader-parent-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.parent.user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.parent.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.parent.user.risk.static_level: + dashed_name: process-session-leader-parent-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.parent.user.risk.static_score: + dashed_name: process-session-leader-parent-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.parent.user.risk.static_score_norm: + dashed_name: process-session-leader-parent-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.parent.user.roles: + dashed_name: process-session-leader-parent-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword +process.session_leader.parent.vpid: + dashed_name: process-session-leader-parent-vpid description: 'Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.' example: 4242 - flat_name: process.parent.vpid + flat_name: process.session_leader.parent.vpid format: string level: core name: vpid @@ -13710,15 +57325,15 @@ process.parent.vpid: original_fieldset: process short: Virtual process id. type: long -process.parent.working_directory: - dashed_name: process-parent-working-directory +process.session_leader.parent.working_directory: + dashed_name: process-session-leader-parent-working-directory description: The working directory of the process. example: /home/alice - flat_name: process.parent.working_directory + flat_name: process.session_leader.parent.working_directory ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.working_directory.text + - flat_name: process.session_leader.parent.working_directory.text name: text type: match_only_text name: working_directory @@ -13726,11 +57341,11 @@ process.parent.working_directory: original_fieldset: process short: The working directory of the process. type: keyword -process.pe.architecture: - dashed_name: process-pe-architecture +process.session_leader.pe.architecture: + dashed_name: process-session-leader-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: process.pe.architecture + flat_name: process.session_leader.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -13738,11 +57353,11 @@ process.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -process.pe.company: - dashed_name: process-pe-company +process.session_leader.pe.company: + dashed_name: process-session-leader-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: process.pe.company + flat_name: process.session_leader.pe.company ignore_above: 1024 level: extended name: company @@ -13750,11 +57365,11 @@ process.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -process.pe.description: - dashed_name: process-pe-description +process.session_leader.pe.description: + dashed_name: process-session-leader-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: process.pe.description + flat_name: process.session_leader.pe.description ignore_above: 1024 level: extended name: description @@ -13762,11 +57377,11 @@ process.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -process.pe.file_version: - dashed_name: process-pe-file-version +process.session_leader.pe.file_version: + dashed_name: process-session-leader-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: process.pe.file_version + flat_name: process.session_leader.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -13774,8 +57389,8 @@ process.pe.file_version: original_fieldset: pe short: Process name. type: keyword -process.pe.go_import_hash: - dashed_name: process-pe-go-import-hash +process.session_leader.pe.go_import_hash: + dashed_name: process-session-leader-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -13784,7 +57399,7 @@ process.pe.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.pe.go_import_hash + flat_name: process.session_leader.pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -13792,20 +57407,20 @@ process.pe.go_import_hash: original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword -process.pe.go_imports: - dashed_name: process-pe-go-imports +process.session_leader.pe.go_imports: + dashed_name: process-session-leader-pe-go-imports description: List of imported Go language element names and types. - flat_name: process.pe.go_imports + flat_name: process.session_leader.pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened -process.pe.go_imports_names_entropy: - dashed_name: process-pe-go-imports-names-entropy +process.session_leader.pe.go_imports_names_entropy: + dashed_name: process-session-leader-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_entropy + flat_name: process.session_leader.pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -13813,10 +57428,10 @@ process.pe.go_imports_names_entropy: original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long -process.pe.go_imports_names_var_entropy: - dashed_name: process-pe-go-imports-names-var-entropy +process.session_leader.pe.go_imports_names_var_entropy: + dashed_name: process-session-leader-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_var_entropy + flat_name: process.session_leader.pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -13824,26 +57439,26 @@ process.pe.go_imports_names_var_entropy: original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.pe.go_stripped: - dashed_name: process-pe-go-stripped +process.session_leader.pe.go_stripped: + dashed_name: process-session-leader-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.pe.go_stripped + flat_name: process.session_leader.pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.pe.imphash: - dashed_name: process-pe-imphash +process.session_leader.pe.imphash: + dashed_name: process-session-leader-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.pe.imphash + flat_name: process.session_leader.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -13851,15 +57466,15 @@ process.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -process.pe.import_hash: - dashed_name: process-pe-import-hash +process.session_leader.pe.import_hash: + dashed_name: process-session-leader-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.pe.import_hash + flat_name: process.session_leader.pe.import_hash ignore_above: 1024 level: extended name: import_hash @@ -13867,10 +57482,10 @@ process.pe.import_hash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -process.pe.imports: - dashed_name: process-pe-imports +process.session_leader.pe.imports: + dashed_name: process-session-leader-pe-imports description: List of imported element names and types. - flat_name: process.pe.imports + flat_name: process.session_leader.pe.imports level: extended name: imports normalize: @@ -13878,11 +57493,11 @@ process.pe.imports: original_fieldset: pe short: List of imported element names and types. type: flattened -process.pe.imports_names_entropy: - dashed_name: process-pe-imports-names-entropy +process.session_leader.pe.imports_names_entropy: + dashed_name: process-session-leader-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.pe.imports_names_entropy + flat_name: process.session_leader.pe.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -13890,11 +57505,11 @@ process.pe.imports_names_entropy: original_fieldset: pe short: Shannon entropy calculation from the list of imported element names and types. type: long -process.pe.imports_names_var_entropy: - dashed_name: process-pe-imports-names-var-entropy +process.session_leader.pe.imports_names_var_entropy: + dashed_name: process-session-leader-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.pe.imports_names_var_entropy + flat_name: process.session_leader.pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -13903,11 +57518,11 @@ process.pe.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.pe.original_file_name: - dashed_name: process-pe-original-file-name +process.session_leader.pe.original_file_name: + dashed_name: process-session-leader-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: process.pe.original_file_name + flat_name: process.session_leader.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name @@ -13915,15 +57530,15 @@ process.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword -process.pe.pehash: - dashed_name: process-pe-pehash +process.session_leader.pe.pehash: + dashed_name: process-session-leader-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.pe.pehash + flat_name: process.session_leader.pe.pehash ignore_above: 1024 level: extended name: pehash @@ -13931,11 +57546,11 @@ process.pe.pehash: original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword -process.pe.product: - dashed_name: process-pe-product +process.session_leader.pe.product: + dashed_name: process-session-leader-pe-product description: Internal product name of the file, provided at compile-time. example: Microsoft® Windows® Operating System - flat_name: process.pe.product + flat_name: process.session_leader.pe.product ignore_above: 1024 level: extended name: product @@ -13943,13 +57558,13 @@ process.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -process.pe.sections: - dashed_name: process-pe-sections +process.session_leader.pe.sections: + dashed_name: process-session-leader-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' - flat_name: process.pe.sections + flat_name: process.session_leader.pe.sections level: extended name: sections normalize: @@ -13957,10 +57572,10 @@ process.pe.sections: original_fieldset: pe short: Section information of the PE file. type: nested -process.pe.sections.entropy: - dashed_name: process-pe-sections-entropy +process.session_leader.pe.sections.entropy: + dashed_name: process-session-leader-pe-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.pe.sections.entropy + flat_name: process.session_leader.pe.sections.entropy format: number level: extended name: sections.entropy @@ -13968,10 +57583,10 @@ process.pe.sections.entropy: original_fieldset: pe short: Shannon entropy calculation from the section. type: long -process.pe.sections.name: - dashed_name: process-pe-sections-name +process.session_leader.pe.sections.name: + dashed_name: process-session-leader-pe-sections-name description: PE Section List name. - flat_name: process.pe.sections.name + flat_name: process.session_leader.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -13979,10 +57594,10 @@ process.pe.sections.name: original_fieldset: pe short: PE Section List name. type: keyword -process.pe.sections.physical_size: - dashed_name: process-pe-sections-physical-size +process.session_leader.pe.sections.physical_size: + dashed_name: process-session-leader-pe-sections-physical-size description: PE Section List physical size. - flat_name: process.pe.sections.physical_size + flat_name: process.session_leader.pe.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -13990,10 +57605,10 @@ process.pe.sections.physical_size: original_fieldset: pe short: PE Section List physical size. type: long -process.pe.sections.var_entropy: - dashed_name: process-pe-sections-var-entropy +process.session_leader.pe.sections.var_entropy: + dashed_name: process-session-leader-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.pe.sections.var_entropy + flat_name: process.session_leader.pe.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -14001,10 +57616,10 @@ process.pe.sections.var_entropy: original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long -process.pe.sections.virtual_size: - dashed_name: process-pe-sections-virtual-size +process.session_leader.pe.sections.virtual_size: + dashed_name: process-session-leader-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.pe.sections.virtual_size + flat_name: process.session_leader.pe.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -14012,71 +57627,50 @@ process.pe.sections.virtual_size: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long -process.pid: - dashed_name: process-pid +process.session_leader.pid: + dashed_name: process-session-leader-pid description: Process id. example: 4242 - flat_name: process.pid + flat_name: process.session_leader.pid format: string level: core name: pid normalize: [] + original_fieldset: process otel: - relation: match - stability: development short: Process id. type: long -process.previous.args: - dashed_name: process-previous-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.previous.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.previous.args_count: - dashed_name: process-previous-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.previous.args_count +process.session_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as platform + binaries, this value is then set to true. + flat_name: process.session_leader.platform_binary level: extended - name: args_count + name: platform_binary normalize: [] original_fieldset: process - short: Length of the process.args array. - type: long -process.previous.executable: - dashed_name: process-previous-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.previous.executable + short: Indicates whether this process executable is a default platform binary shipped + with the operating system. + type: boolean +process.session_leader.real_group.domain: + dashed_name: process-session-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.real_group.domain ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.previous.executable.text - name: text - type: match_only_text - name: executable + name: domain normalize: [] - original_fieldset: process - short: Absolute path to the process executable. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword -process.real_group.id: - dashed_name: process-real-group-id +process.session_leader.real_group.id: + dashed_name: process-session-leader-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.real_group.id + flat_name: process.session_leader.real_group.id ignore_above: 1024 level: extended name: id @@ -14084,10 +57678,10 @@ process.real_group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.real_group.name: - dashed_name: process-real-group-name +process.session_leader.real_group.name: + dashed_name: process-session-leader-real-group-name description: Name of the group. - flat_name: process.real_group.name + flat_name: process.session_leader.real_group.name ignore_above: 1024 level: extended name: name @@ -14095,379 +57689,320 @@ process.real_group.name: original_fieldset: group short: Name of the group. type: keyword -process.real_user.id: - dashed_name: process-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.real_user.id +process.session_leader.real_user.domain: + dashed_name: process-session-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.real_user.domain ignore_above: 1024 - level: core - name: id + level: extended + name: domain normalize: [] original_fieldset: user - otel: - - relation: match - stability: development - short: Unique identifier of the user. + short: Name of the directory the user is a member of. type: keyword -process.real_user.name: - dashed_name: process-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.real_user.name +process.session_leader.real_user.email: + dashed_name: process-session-leader-real-user-email + description: User email address. + flat_name: process.session_leader.real_user.email ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.real_user.name.text - name: text - type: match_only_text - name: name + level: extended + name: email normalize: [] original_fieldset: user - otel: - - relation: match - stability: development - short: Short name or login of the user. + short: User email address. type: keyword -process.saved_group.id: - dashed_name: process-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.saved_group.id - ignore_above: 1024 +process.session_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.real_user.entity.attributes level: extended - name: id + name: attributes normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.saved_group.name: - dashed_name: process-saved-group-name - description: Name of the group. - flat_name: process.saved_group.name - ignore_above: 1024 + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.real_user.entity.behavior level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.saved_user.id: - dashed_name: process-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.saved_user.id - ignore_above: 1024 - level: core - name: id + name: behavior normalize: [] - original_fieldset: user - otel: - - relation: match - stability: development - short: Unique identifier of the user. - type: keyword -process.saved_user.name: - dashed_name: process-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.saved_user.name + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.real_user.entity.display_name ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.saved_user.name.text + - flat_name: process.session_leader.real_user.entity.display_name.text name: text type: match_only_text - name: name + name: display_name normalize: [] - original_fieldset: user - otel: - - relation: match - stability: development - short: Short name or login of the user. + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. type: keyword -process.session_leader.args: - dashed_name: process-session-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.args +process.session_leader.real_user.entity.id: + dashed_name: process-session-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.real_user.entity.id ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. type: keyword -process.session_leader.args_count: - dashed_name: process-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.session_leader.args_count +process.session_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.real_user.entity.last_seen_timestamp level: extended - name: args_count + name: last_seen_timestamp normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.session_leader.command_line: - dashed_name: process-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.command_line + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.real_user.entity.lifecycle level: extended - multi_fields: - - flat_name: process.session_leader.command_line.text - name: text - type: match_only_text - name: command_line + name: lifecycle normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.session_leader.entity_id: - dashed_name: process-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.entity_id - ignore_above: 1024 + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.real_user.entity.metrics level: extended - name: entity_id + name: metrics normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.session_leader.executable: - dashed_name: process-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.executable + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.real_user.entity.name ignore_above: 1024 - level: extended + level: core multi_fields: - - flat_name: process.session_leader.executable.text + - flat_name: process.session_leader.real_user.entity.name.text name: text type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.session_leader.group.id: - dashed_name: process-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.group.name: - dashed_name: process-session-leader-group-name - description: Name of the group. - flat_name: process.session_leader.group.name - ignore_above: 1024 - level: extended name: name normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: entity + short: The name of the entity. type: keyword -process.session_leader.interactive: - dashed_name: process-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.session_leader.interactive +process.session_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.real_user.entity.raw level: extended - name: interactive + name: raw normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.session_leader.name: - dashed_name: process-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.name + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.real_user.entity.reference ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.session_leader.name.text - name: text - type: match_only_text - name: name + name: reference normalize: [] - original_fieldset: process - short: Process name. + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. type: keyword -process.session_leader.parent.entity_id: - dashed_name: process-session-leader-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.entity_id +process.session_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.real_user.entity.source ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.session_leader.parent.pid: - dashed_name: process-session-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.pid - format: string level: core - name: pid + name: source normalize: [] - original_fieldset: process - short: Process id. - type: long -process.session_leader.parent.session_leader.entity_id: - dashed_name: process-session-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.session_leader.entity_id + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.real_user.entity.sub_type ignore_above: 1024 level: extended - name: entity_id + name: sub_type normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. type: keyword -process.session_leader.parent.session_leader.pid: - dashed_name: process-session-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.session_leader.parent.session_leader.start: - dashed_name: process-session-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.session_leader.parent.session_leader.vpid: - dashed_name: process-session-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.session_leader.parent.session_leader.vpid - format: string +process.session_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.real_user.entity.type + ignore_above: 1024 level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.session_leader.parent.start: - dashed_name: process-session-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.start + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.real_user.full_name: + dashed_name: process-session-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.real_user.full_name + ignore_above: 1024 level: extended - name: start + multi_fields: + - flat_name: process.session_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.session_leader.parent.vpid: - dashed_name: process-session-leader-parent-vpid - description: 'Virtual process id. + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.real_user.group.domain: + dashed_name: process-session-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.session_leader.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.session_leader.pid: - dashed_name: process-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.pid - format: string - level: core - name: pid + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain normalize: [] - original_fieldset: process - otel: - - relation: match - stability: development - short: Process id. - type: long -process.session_leader.real_group.id: - dashed_name: process-session-leader-real-group-id + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.real_user.group.id: + dashed_name: process-session-leader-real-user-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.real_group.id + flat_name: process.session_leader.real_user.group.id ignore_above: 1024 level: extended name: id @@ -14475,10 +58010,10 @@ process.session_leader.real_group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.real_group.name: - dashed_name: process-session-leader-real-group-name +process.session_leader.real_user.group.name: + dashed_name: process-session-leader-real-user-group-name description: Name of the group. - flat_name: process.session_leader.real_group.name + flat_name: process.session_leader.real_user.group.name ignore_above: 1024 level: extended name: name @@ -14486,6 +58021,21 @@ process.session_leader.real_group.name: original_fieldset: group short: Name of the group. type: keyword +process.session_leader.real_user.hash: + dashed_name: process-session-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.session_leader.real_user.id: dashed_name: process-session-leader-real-user-id description: Unique identifier of the user. @@ -14514,6 +58064,100 @@ process.session_leader.real_user.name: original_fieldset: user short: Short name or login of the user. type: keyword +process.session_leader.real_user.risk.calculated_level: + dashed_name: process-session-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.real_user.risk.calculated_score: + dashed_name: process-session-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.real_user.risk.calculated_score_norm: + dashed_name: process-session-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.real_user.risk.static_level: + dashed_name: process-session-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.real_user.risk.static_score: + dashed_name: process-session-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.real_user.risk.static_score_norm: + dashed_name: process-session-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.real_user.roles: + dashed_name: process-session-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.session_leader.same_as_process: dashed_name: process-session-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same as @@ -14544,6 +58188,19 @@ process.session_leader.same_as_process: short: This boolean is used to identify if a leader process is the same as the top level process. type: boolean +process.session_leader.saved_group.domain: + dashed_name: process-session-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword process.session_leader.saved_group.id: dashed_name: process-session-leader-saved-group-id description: Unique identifier for the group on the system/platform. @@ -14566,33 +58223,474 @@ process.session_leader.saved_group.name: original_fieldset: group short: Name of the group. type: keyword +process.session_leader.saved_user.domain: + dashed_name: process-session-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.saved_user.email: + dashed_name: process-session-leader-saved-user-email + description: User email address. + flat_name: process.session_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.saved_user.entity.id: + dashed_name: process-session-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.saved_user.full_name: + dashed_name: process-session-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.saved_user.group.domain: + dashed_name: process-session-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.saved_user.group.id: + dashed_name: process-session-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.saved_user.group.name: + dashed_name: process-session-leader-saved-user-group-name + description: Name of the group. + flat_name: process.session_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.saved_user.hash: + dashed_name: process-session-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.session_leader.saved_user.id: dashed_name: process-session-leader-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.session_leader.saved_user.id ignore_above: 1024 - level: core - name: id + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.session_leader.saved_user.name: + dashed_name: process-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.session_leader.saved_user.risk.calculated_level: + dashed_name: process-session-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.saved_user.risk.calculated_score: + dashed_name: process-session-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-session-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.saved_user.risk.static_level: + dashed_name: process-session-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. type: keyword -process.session_leader.saved_user.name: - dashed_name: process-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name +process.session_leader.saved_user.risk.static_score: + dashed_name: process-session-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.saved_user.risk.static_score_norm: + dashed_name: process-session-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.saved_user.roles: + dashed_name: process-session-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array original_fieldset: user - short: Short name or login of the user. + short: Array of user roles at the time of the event. + synthetic_source_keep: none type: keyword process.session_leader.start: dashed_name: process-session-leader-start @@ -14605,6 +58703,19 @@ process.session_leader.start: original_fieldset: process short: The time the process started. type: date +process.session_leader.supplemental_groups.domain: + dashed_name: process-session-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword process.session_leader.supplemental_groups.id: dashed_name: process-session-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -14627,6 +58738,80 @@ process.session_leader.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword +process.session_leader.thread.capabilities.effective: + dashed_name: process-session-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword +process.session_leader.thread.capabilities.permitted: + dashed_name: process-session-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword +process.session_leader.thread.id: + dashed_name: process-session-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.session_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.session_leader.thread.name: + dashed_name: process-session-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.session_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.session_leader.title: + dashed_name: process-session-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.session_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword process.session_leader.tty: dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process belongs @@ -14666,6 +58851,392 @@ process.session_leader.tty.char_device.minor: original_fieldset: process short: The TTY character device's minor number. type: long +process.session_leader.tty.columns: + dashed_name: process-session-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.session_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long +process.session_leader.tty.rows: + dashed_name: process-session-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a given + IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.session_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long +process.session_leader.uptime: + dashed_name: process-session-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.session_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.session_leader.user.domain: + dashed_name: process-session-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.session_leader.user.email: + dashed_name: process-session-leader-user-email + description: User email address. + flat_name: process.session_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.session_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.session_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.session_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.session_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.session_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.session_leader.user.entity.id: + dashed_name: process-session-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.session_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.session_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.session_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.session_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.session_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.session_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.session_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.session_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.session_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.session_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.session_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.session_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.session_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.session_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.session_leader.user.full_name: + dashed_name: process-session-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.session_leader.user.group.domain: + dashed_name: process-session-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.session_leader.user.group.id: + dashed_name: process-session-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.user.group.name: + dashed_name: process-session-leader-user-group-name + description: Name of the group. + flat_name: process.session_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.user.hash: + dashed_name: process-session-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.session_leader.user.id: dashed_name: process-session-leader-user-id description: Unique identifier of the user. @@ -14694,6 +59265,100 @@ process.session_leader.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +process.session_leader.user.risk.calculated_level: + dashed_name: process-session-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.session_leader.user.risk.calculated_score: + dashed_name: process-session-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.session_leader.user.risk.calculated_score_norm: + dashed_name: process-session-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.session_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.session_leader.user.risk.static_level: + dashed_name: process-session-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.session_leader.user.risk.static_score: + dashed_name: process-session-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.session_leader.user.risk.static_score_norm: + dashed_name: process-session-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.session_leader.user.roles: + dashed_name: process-session-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.session_leader.vpid: dashed_name: process-session-leader-vpid description: 'Virtual process id. @@ -14736,6 +59401,19 @@ process.start: normalize: [] short: The time the process started. type: date +process.supplemental_groups.domain: + dashed_name: process-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword process.supplemental_groups.id: dashed_name: process-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -14827,7 +59505,6 @@ process.title: normalize: [] otel: - relation: match - stability: development short: Process title. type: keyword process.tty: @@ -14903,9 +59580,355 @@ process.uptime: otel: - metric: process.uptime relation: metric - stability: development short: Seconds the process has been up. type: long +process.user.domain: + dashed_name: process-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +process.user.email: + dashed_name: process-user-email + description: User email address. + flat_name: process.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +process.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: process.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +process.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: process.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +process.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +process.user.entity.id: + dashed_name: process-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: process.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +process.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: process.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +process.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +process.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: process.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +process.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: process.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +process.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: process.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +process.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +process.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: process.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +process.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +process.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +process.user.full_name: + dashed_name: process-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +process.user.group.domain: + dashed_name: process-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +process.user.group.id: + dashed_name: process-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.user.group.name: + dashed_name: process-user-group-name + description: Name of the group. + flat_name: process.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +process.user.hash: + dashed_name: process-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.user.id: dashed_name: process-user-id description: Unique identifier of the user. @@ -14918,7 +59941,6 @@ process.user.id: original_fieldset: user otel: - relation: match - stability: development short: Unique identifier of the user. type: keyword process.user.name: @@ -14937,9 +59959,102 @@ process.user.name: original_fieldset: user otel: - relation: match - stability: development short: Short name or login of the user. type: keyword +process.user.risk.calculated_level: + dashed_name: process-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: process.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +process.user.risk.calculated_score: + dashed_name: process-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +process.user.risk.calculated_score_norm: + dashed_name: process-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: process.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +process.user.risk.static_level: + dashed_name: process-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +process.user.risk.static_score: + dashed_name: process-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +process.user.risk.static_score_norm: + dashed_name: process-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float +process.user.roles: + dashed_name: process-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.vpid: dashed_name: process-vpid description: 'Virtual process id. @@ -14955,7 +60070,6 @@ process.vpid: normalize: [] otel: - relation: match - stability: development short: Virtual process id. type: long process.working_directory: @@ -14973,7 +60087,6 @@ process.working_directory: normalize: [] otel: - relation: match - stability: development short: The working directory of the process. type: keyword registry.data.bytes: @@ -15260,7 +60373,6 @@ server.address: normalize: [] otel: - relation: match - stability: stable short: Server network address. type: keyword server.as.number: @@ -15526,7 +60638,6 @@ server.port: normalize: [] otel: - relation: match - stability: stable short: Port of the server. type: long server.registered_domain: @@ -15605,6 +60716,263 @@ server.user.email: original_fieldset: user short: User email address. type: keyword +server.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: server.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +server.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: server.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +server.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: server.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: server.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +server.user.entity.id: + dashed_name: server-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: server.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +server.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: server.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +server.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: server.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +server.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: server.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +server.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: server.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: server.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +server.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: server.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +server.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: server.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +server.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: server.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +server.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: server.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +server.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: server-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: server.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword server.user.full_name: dashed_name: server-user-full-name description: User's full name, if available. @@ -15699,6 +61067,86 @@ server.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +server.user.risk.calculated_level: + dashed_name: server-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: server.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +server.user.risk.calculated_score: + dashed_name: server-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: server.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +server.user.risk.calculated_score_norm: + dashed_name: server-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: server.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +server.user.risk.static_level: + dashed_name: server-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: server.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +server.user.risk.static_score: + dashed_name: server-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: server.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +server.user.risk.static_score_norm: + dashed_name: server-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: server.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -15959,12 +61407,21 @@ service.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -15992,7 +61449,6 @@ service.environment: otel: - attribute: deployment.environment.name relation: equivalent - stability: development short: Environment of the service. type: keyword service.ephemeral_id: @@ -16045,7 +61501,6 @@ service.name: normalize: [] otel: - relation: match - stability: stable short: Name of the service. type: keyword service.node.name: @@ -16071,7 +61526,6 @@ service.node.name: otel: - attribute: service.instance.id relation: equivalent - stability: development short: Name of the service node. type: keyword service.node.role: @@ -16368,12 +61822,21 @@ service.origin.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -16826,12 +62289,21 @@ service.target.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -17057,7 +62529,6 @@ service.version: normalize: [] otel: - relation: match - stability: stable short: Version of the service. type: keyword source.address: @@ -17075,7 +62546,6 @@ source.address: normalize: [] otel: - relation: match - stability: development short: Source network address. type: keyword source.as.number: @@ -17341,7 +62811,6 @@ source.port: normalize: [] otel: - relation: match - stability: development short: Port of the source. type: long source.registered_domain: @@ -17420,6 +62889,263 @@ source.user.email: original_fieldset: user short: User email address. type: keyword +source.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: source.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +source.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: source.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +source.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: source.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: source.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +source.user.entity.id: + dashed_name: source-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: source.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +source.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: source.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +source.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: source.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +source.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: source.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +source.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: source.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: source.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +source.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: source.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +source.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: source.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +source.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: source.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +source.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: source.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +source.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: source-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: source.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword source.user.full_name: dashed_name: source-user-full-name description: User's full name, if available. @@ -17514,6 +63240,86 @@ source.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +source.user.risk.calculated_level: + dashed_name: source-user-risk-calculated-level + description: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + example: High + flat_name: source.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part of entity + analytics and entity risk scoring. + type: keyword +source.user.risk.calculated_score: + dashed_name: source-user-risk-calculated-score + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + example: 880.73 + flat_name: source.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part of entity + analytics and entity risk scoring. + type: float +source.user.risk.calculated_score_norm: + dashed_name: source-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring, and normalized to a range of 0 to + 100. + example: 88.73 + flat_name: source.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float +source.user.risk.static_level: + dashed_name: source-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: source.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: keyword +source.user.risk.static_score: + dashed_name: source-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: source.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as from + some external Threat Intelligence Platform. + type: float +source.user.risk.static_score_norm: + dashed_name: source-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: source.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -23213,7 +69019,6 @@ tls.cipher: normalize: [] otel: - relation: match - stability: development short: String indicating the cipher used during the current connection. type: keyword tls.client.certificate: @@ -23229,7 +69034,6 @@ tls.client.certificate: normalize: [] otel: - relation: match - stability: development short: PEM-encoded stand-alone certificate offered by the client. type: keyword tls.client.certificate_chain: @@ -23246,7 +69050,6 @@ tls.client.certificate_chain: - array otel: - relation: match - stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the client. type: keyword @@ -23263,7 +69066,6 @@ tls.client.hash.md5: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -23280,7 +69082,6 @@ tls.client.hash.sha1: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -23297,7 +69098,6 @@ tls.client.hash.sha256: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -23313,7 +69113,6 @@ tls.client.issuer: normalize: [] otel: - relation: match - stability: development short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword @@ -23329,7 +69128,6 @@ tls.client.ja3: normalize: [] otel: - relation: match - stability: development short: A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword tls.client.not_after: @@ -23343,7 +69141,6 @@ tls.client.not_after: normalize: [] otel: - relation: match - stability: development short: Date/Time indicating when client certificate is no longer considered valid. type: date tls.client.not_before: @@ -23356,7 +69153,6 @@ tls.client.not_before: normalize: [] otel: - relation: match - stability: development short: Date/Time indicating when client certificate is first considered valid. type: date tls.client.server_name: @@ -23384,7 +69180,6 @@ tls.client.subject: normalize: [] otel: - relation: match - stability: development short: Distinguished name of subject of the x.509 certificate presented by the client. type: keyword tls.client.supported_ciphers: @@ -23400,7 +69195,6 @@ tls.client.supported_ciphers: - array otel: - relation: match - stability: development short: Array of ciphers offered by the client during the client hello. type: keyword tls.client.x509.alternative_names: @@ -23719,7 +69513,6 @@ tls.curve: normalize: [] otel: - relation: match - stability: development short: String indicating the curve used for the given cipher, when applicable. type: keyword tls.established: @@ -23732,7 +69525,6 @@ tls.established: normalize: [] otel: - relation: match - stability: development short: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean @@ -23749,7 +69541,6 @@ tls.next_protocol: normalize: [] otel: - relation: match - stability: development short: String indicating the protocol being tunneled. type: keyword tls.resumed: @@ -23762,7 +69553,6 @@ tls.resumed: normalize: [] otel: - relation: match - stability: development short: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean @@ -23779,7 +69569,6 @@ tls.server.certificate: normalize: [] otel: - relation: match - stability: development short: PEM-encoded stand-alone certificate offered by the server. type: keyword tls.server.certificate_chain: @@ -23796,7 +69585,6 @@ tls.server.certificate_chain: - array otel: - relation: match - stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the server. type: keyword @@ -23813,7 +69601,6 @@ tls.server.hash.md5: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -23830,7 +69617,6 @@ tls.server.hash.sha1: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -23847,7 +69633,6 @@ tls.server.hash.sha256: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -23862,7 +69647,6 @@ tls.server.issuer: normalize: [] otel: - relation: match - stability: development short: Subject of the issuer of the x.509 certificate presented by the server. type: keyword tls.server.ja3s: @@ -23877,7 +69661,6 @@ tls.server.ja3s: normalize: [] otel: - relation: match - stability: development short: A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword tls.server.not_after: @@ -23891,7 +69674,6 @@ tls.server.not_after: normalize: [] otel: - relation: match - stability: development short: Timestamp indicating when server certificate is no longer considered valid. type: date tls.server.not_before: @@ -23904,7 +69686,6 @@ tls.server.not_before: normalize: [] otel: - relation: match - stability: development short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: @@ -23918,7 +69699,6 @@ tls.server.subject: normalize: [] otel: - relation: match - stability: development short: Subject of the x.509 certificate presented by the server. type: keyword tls.server.x509.alternative_names: @@ -24299,7 +70079,6 @@ url.domain: normalize: [] otel: - relation: match - stability: development short: Domain of the url. type: keyword url.extension: @@ -24322,7 +70101,6 @@ url.extension: normalize: [] otel: - relation: match - stability: development short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: @@ -24337,7 +70115,6 @@ url.fragment: normalize: [] otel: - relation: match - stability: stable short: Portion of the url after the `#`. type: keyword url.full: @@ -24355,7 +70132,6 @@ url.full: normalize: [] otel: - relation: match - stability: stable short: Full unparsed URL. type: wildcard url.original: @@ -24377,7 +70153,6 @@ url.original: normalize: [] otel: - relation: match - stability: development short: Unmodified original url as seen in the event source. type: wildcard url.password: @@ -24399,7 +70174,6 @@ url.path: normalize: [] otel: - relation: match - stability: stable short: Path of the request, such as "/search". type: wildcard url.port: @@ -24413,7 +70187,6 @@ url.port: normalize: [] otel: - relation: match - stability: development short: Port of the request, such as 443. type: long url.query: @@ -24432,7 +70205,6 @@ url.query: normalize: [] otel: - relation: match - stability: stable short: Query string of the request. type: keyword url.registered_domain: @@ -24452,7 +70224,6 @@ url.registered_domain: normalize: [] otel: - relation: match - stability: development short: The highest registered url domain, stripped of the subdomain. type: keyword url.scheme: @@ -24468,7 +70239,6 @@ url.scheme: normalize: [] otel: - relation: match - stability: stable short: Scheme of the url. type: keyword url.subdomain: @@ -24489,7 +70259,6 @@ url.subdomain: normalize: [] otel: - relation: match - stability: development short: The subdomain of the domain. type: keyword url.top_level_domain: @@ -24509,7 +70278,6 @@ url.top_level_domain: normalize: [] otel: - relation: match - stability: development short: The effective top level domain (com, org, net, co.uk). type: keyword url.username: @@ -24778,12 +70546,21 @@ user.changes.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-changes-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -25250,12 +71027,21 @@ user.effective.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-effective-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -25464,7 +71250,6 @@ user.email: normalize: [] otel: - relation: match - stability: development short: User email address. type: keyword user.entity.attributes: @@ -25699,12 +71484,21 @@ user.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -25730,7 +71524,6 @@ user.full_name: normalize: [] otel: - relation: match - stability: development short: User's full name, if available. type: keyword user.group.domain: @@ -25782,7 +71575,6 @@ user.hash: normalize: [] otel: - relation: match - stability: development short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: @@ -25796,7 +71588,6 @@ user.id: normalize: [] otel: - relation: match - stability: development short: Unique identifier of the user. type: keyword user.name: @@ -25814,7 +71605,6 @@ user.name: normalize: [] otel: - relation: match - stability: development short: Short name or login of the user. type: keyword user.risk.calculated_level: @@ -25909,7 +71699,6 @@ user.roles: - array otel: - relation: match - stability: development short: Array of user roles at the time of the event. synthetic_source_keep: none type: keyword @@ -26169,12 +71958,21 @@ user.target.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.target.entity.type ignore_above: 1024 @@ -26395,7 +72193,6 @@ user_agent.name: normalize: [] otel: - relation: match - stability: development short: Name of the user agent. type: keyword user_agent.original: @@ -26414,7 +72211,6 @@ user_agent.original: normalize: [] otel: - relation: match - stability: stable short: Unparsed user_agent string. type: keyword user_agent.os.family: @@ -26533,7 +72329,6 @@ user_agent.version: normalize: [] otel: - relation: match - stability: development short: Version of the user agent. type: keyword volume.bus_type: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 37abbf431a..09c1e23fa2 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -214,10 +214,8 @@ base: otel: - attribute: k8s.pod.label relation: related - stability: development - attribute: container.label relation: related - stability: development short: Custom key/value pairs. type: object message: @@ -294,7 +292,6 @@ client: normalize: [] otel: - relation: match - stability: stable short: Client network address. type: keyword client.as.number: @@ -562,7 +559,6 @@ client: normalize: [] otel: - relation: match - stability: stable short: Port of the client. type: long client.registered_domain: @@ -641,6 +637,268 @@ client: original_fieldset: user short: User email address. type: keyword + client.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: client.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + client.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: client.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + client.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: client.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: client.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + client.user.entity.id: + dashed_name: client-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: client.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + client.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: client.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + client.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: client.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + client.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: client.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + client.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: client.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: client.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + client.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: client.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + client.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: client.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + client.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: client.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + client.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: client-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: client.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + client.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: client-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: client.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword client.user.full_name: dashed_name: client-user-full-name description: User's full name, if available. @@ -735,6 +993,86 @@ client: original_fieldset: user short: Short name or login of the user. type: keyword + client.user.risk.calculated_level: + dashed_name: client-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: client.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + client.user.risk.calculated_score: + dashed_name: client-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: client.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + client.user.risk.calculated_score_norm: + dashed_name: client-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: client.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + client.user.risk.static_level: + dashed_name: client-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: client.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + client.user.risk.static_score: + dashed_name: client-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: client.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + client.user.risk.static_score_norm: + dashed_name: client-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: client.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -787,7 +1125,6 @@ cloud: normalize: [] otel: - relation: match - stability: development short: The cloud account or organization id. type: keyword cloud.account.name: @@ -815,7 +1152,6 @@ cloud: normalize: [] otel: - relation: match - stability: development short: Availability zone in which this host, resource, or service is located. type: keyword cloud.entity.attributes: @@ -1055,12 +1391,21 @@ cloud: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1382,12 +1727,21 @@ cloud: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1540,7 +1894,6 @@ cloud: normalize: [] otel: - relation: match - stability: development short: Name of the cloud provider. type: keyword cloud.region: @@ -1554,7 +1907,6 @@ cloud: normalize: [] otel: - relation: match - stability: development short: Region in which this host, resource, or service is located. type: keyword cloud.service.name: @@ -1573,7 +1925,6 @@ cloud: otel: - attribute: cloud.platform relation: equivalent - stability: development short: The cloud service name. type: keyword cloud.target.account.id: @@ -1855,12 +2206,21 @@ cloud: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -2203,7 +2563,6 @@ container: otel: - metric: container.cpu.usage relation: metric - stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -2237,7 +2596,6 @@ container: normalize: [] otel: - relation: match - stability: development short: Unique container id. type: keyword container.image.hash.all: @@ -2255,7 +2613,6 @@ container: otel: - attribute: container.image.repo_digests relation: equivalent - stability: development short: An array of digests of the image the container was built on. type: keyword container.image.name: @@ -2268,7 +2625,6 @@ container: normalize: [] otel: - relation: match - stability: development short: Name of the image the container was built on. type: keyword container.image.tag: @@ -2283,7 +2639,6 @@ container: otel: - attribute: container.image.tags relation: equivalent - stability: development short: Container image tags. synthetic_source_keep: none type: keyword @@ -2298,7 +2653,6 @@ container: otel: - attribute: container.label relation: related - stability: development short: Image labels. type: object container.memory.usage: @@ -2312,7 +2666,6 @@ container: otel: - metric: container.memory.usage relation: metric - stability: development scaling_factor: 1000 short: Percent memory used, between 0 and 1. type: scaled_float @@ -2326,7 +2679,6 @@ container: normalize: [] otel: - relation: match - stability: development short: Container name. type: keyword container.network.egress.bytes: @@ -2361,7 +2713,6 @@ container: otel: - attribute: container.runtime.name relation: equivalent - stability: development short: Runtime managing this container. type: keyword container.security_context.privileged: @@ -2482,7 +2833,6 @@ destination: normalize: [] otel: - relation: match - stability: development short: Destination network address. type: keyword destination.as.number: @@ -2749,7 +3099,6 @@ destination: normalize: [] otel: - relation: match - stability: development short: Port of the destination. type: long destination.registered_domain: @@ -2828,6 +3177,268 @@ destination: original_fieldset: user short: User email address. type: keyword + destination.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: destination.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + destination.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: destination.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + destination.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: destination.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: destination.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + destination.user.entity.id: + dashed_name: destination-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: destination.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + destination.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: destination.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + destination.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: destination.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + destination.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: destination.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + destination.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: destination.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: destination.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + destination.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: destination.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + destination.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: destination.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + destination.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: destination.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + destination.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: destination.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + destination.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: destination-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: destination.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword destination.user.full_name: dashed_name: destination-user-full-name description: User's full name, if available. @@ -2922,6 +3533,86 @@ destination: original_fieldset: user short: Short name or login of the user. type: keyword + destination.user.risk.calculated_level: + dashed_name: destination-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: destination.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + destination.user.risk.calculated_score: + dashed_name: destination-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: destination.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + destination.user.risk.calculated_score_norm: + dashed_name: destination-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: destination.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + destination.user.risk.static_level: + dashed_name: destination-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: destination.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + destination.user.risk.static_score: + dashed_name: destination-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: destination.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + destination.user.risk.static_score_norm: + dashed_name: destination-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: destination.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -2985,7 +3676,6 @@ device: normalize: [] otel: - relation: match - stability: development short: The unique identifier of a device. type: keyword device.manufacturer: @@ -2999,7 +3689,6 @@ device: normalize: [] otel: - relation: match - stability: development short: The vendor name of the device manufacturer. type: keyword device.model.identifier: @@ -3013,7 +3702,6 @@ device: normalize: [] otel: - relation: match - stability: development short: The machine readable identifier of the device model. type: keyword device.model.name: @@ -3027,7 +3715,6 @@ device: normalize: [] otel: - relation: match - stability: development short: The human readable marketing name of the device model. type: keyword device.product.id: @@ -3791,7 +4478,6 @@ dns: otel: - attribute: dns.answers relation: related - stability: development short: Array of DNS answers. type: object dns.answers.class: @@ -3931,7 +4617,6 @@ dns: normalize: [] otel: - relation: match - stability: development short: The name being queried. type: keyword dns.question.registered_domain: @@ -5019,6 +5704,268 @@ entity: short: The specific type designation for the entity as defined by its provider or system. type: keyword + entity.target.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-target-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: entity.target.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + entity.target.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-target-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + entity.target.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-target-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.target.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.target.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + entity.target.id: + dashed_name: entity-target-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: entity.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + entity.target.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-target-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: entity.target.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + entity.target.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-target-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + entity.target.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-target-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: entity.target.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + entity.target.name: + beta: This field is beta and subject to change. + dashed_name: entity-target-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: entity.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.target.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + entity.target.raw: + beta: This field is beta and subject to change. + dashed_name: entity-target-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: entity.target.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + entity.target.reference: + beta: This field is beta and subject to change. + dashed_name: entity-target-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.target.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + entity.target.source: + beta: This field is beta and subject to change. + dashed_name: entity-target-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: entity.target.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + entity.target.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-target-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.target.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + entity.target.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: entity-target-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: entity.target.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword entity.type: allowed_values: - description: Represents a storage container or bucket, typically used for @@ -5072,12 +6019,21 @@ entity: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: entity.type ignore_above: 1024 @@ -5087,8 +6043,15 @@ entity: - array short: Standardized high-level classification of the entity. type: keyword + footnote: The entity fields may be self-nested under entity.target.* to describe + the target entity in the context of an action or event. The fieldset entity.target.* + must not be confused with the root entity fieldset that is used to describe the + primary entity under observation. The fieldset entity.target.* may only be used + to describe the targeted entity of an action taken. group: 2 name: entity + nestings: + - entity.target prefix: entity. reusable: expected: @@ -5107,7 +6070,15 @@ entity: - as: entity at: orchestrator full: orchestrator.entity + - as: target + at: entity + full: entity.target + short_override: Targeted entity of action taken. top_level: false + reused_here: + - full: entity.target + schema_name: entity + short: Targeted entity of action taken. short: Fields to describe various types of entities across IT environments. title: Entity type: group @@ -5147,7 +6118,6 @@ error: otel: - attribute: exception.message relation: equivalent - stability: stable short: Error message. type: match_only_text error.stack_trace: @@ -5164,7 +6134,6 @@ error: otel: - attribute: exception.stacktrace relation: equivalent - stability: stable short: The stack trace of this error in plain text. type: wildcard error.type: @@ -5178,7 +6147,6 @@ error: normalize: [] otel: - relation: match - stability: stable short: The type of the error, for example the class name of the exception. type: keyword group: 2 @@ -6099,7 +7067,6 @@ faas: normalize: [] otel: - relation: match - stability: development short: Boolean value indicating a cold start of a function. type: boolean faas.execution: @@ -6114,7 +7081,6 @@ faas: otel: - attribute: faas.invocation_id relation: equivalent - stability: development short: The execution ID of the current function execution. type: keyword faas.id: @@ -6142,7 +7108,6 @@ faas: normalize: [] otel: - relation: match - stability: development short: The name of a serverless function. type: keyword faas.trigger.request_id: @@ -6174,7 +7139,6 @@ faas: otel: - attribute: faas.trigger relation: equivalent - stability: development short: The trigger for the function execution. type: keyword faas.version: @@ -6188,7 +7152,6 @@ faas: normalize: [] otel: - relation: match - stability: development short: The version of a serverless function. type: keyword group: 2 @@ -6217,7 +7180,6 @@ file: normalize: [] otel: - relation: match - stability: development short: Last time the file was accessed. type: date file.attributes: @@ -6236,7 +7198,6 @@ file: - array otel: - relation: match - stability: development short: Array of file attributes. synthetic_source_keep: none type: keyword @@ -6402,7 +7363,6 @@ file: normalize: [] otel: - relation: match - stability: development short: File creation time. type: date file.ctime: @@ -6418,7 +7378,6 @@ file: otel: - attribute: file.changed relation: equivalent - stability: development short: Last time the file attributes or metadata changed. type: date file.device: @@ -6444,7 +7403,6 @@ file: normalize: [] otel: - relation: match - stability: development short: Directory where the file is located. type: keyword file.drive_letter: @@ -6918,7 +7876,6 @@ file: normalize: [] otel: - relation: match - stability: development short: File extension, excluding the leading dot. type: keyword file.fork_name: @@ -6944,7 +7901,6 @@ file: normalize: [] otel: - relation: match - stability: development short: A fork is additional data associated with a filesystem object. type: keyword file.gid: @@ -6959,7 +7915,6 @@ file: otel: - attribute: file.group.id relation: equivalent - stability: development short: Primary group ID (GID) of the file. type: keyword file.group: @@ -6974,7 +7929,6 @@ file: otel: - attribute: file.group.name relation: equivalent - stability: development short: Primary group name of the file. type: keyword file.hash.cdhash: @@ -7079,7 +8033,6 @@ file: normalize: [] otel: - relation: match - stability: development short: Inode representing the file in the filesystem. type: keyword file.macho.go_import_hash: @@ -7305,7 +8258,6 @@ file: normalize: [] otel: - relation: match - stability: development short: Mode of the file in octal representation. type: keyword file.mtime: @@ -7318,7 +8270,6 @@ file: otel: - attribute: file.modified relation: equivalent - stability: development short: Last time the file content was modified. type: date file.name: @@ -7332,7 +8283,6 @@ file: normalize: [] otel: - relation: match - stability: development short: Name of the file including the extension, without the directory. type: keyword file.origin_referrer_url: @@ -7371,7 +8321,6 @@ file: otel: - attribute: file.owner.name relation: equivalent - stability: development short: File owner's username. type: keyword file.path: @@ -7390,7 +8339,6 @@ file: normalize: [] otel: - relation: match - stability: development short: Full path to the file, including the file name. type: keyword file.pe.architecture: @@ -7692,7 +8640,6 @@ file: normalize: [] otel: - relation: match - stability: development short: File size in bytes. type: long file.target_path: @@ -7710,7 +8657,6 @@ file: otel: - attribute: file.symbolic_link.target_path relation: equivalent - stability: development short: Target path for symlinks. type: keyword file.type: @@ -7736,7 +8682,6 @@ file: otel: - attribute: file.owner.id relation: equivalent - stability: development short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword file.x509.alternative_names: @@ -8107,7 +9052,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Free-form description of the GenAI agent provided by the application. type: keyword gen_ai.agent.id: @@ -8122,7 +9066,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The unique identifier of the GenAI agent. type: keyword gen_ai.agent.name: @@ -8137,7 +9080,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Human-readable name of the GenAI agent provided by the application. type: keyword gen_ai.operation.name: @@ -8152,7 +9094,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The name of the operation being performed. type: keyword gen_ai.output.type: @@ -8167,7 +9108,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Represents the content type requested by the client. type: keyword gen_ai.request.choice.count: @@ -8181,7 +9121,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The target number of candidate completions to return. type: integer gen_ai.request.encoding_formats: @@ -8195,7 +9134,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The encoding formats requested in an embeddings operation, if specified. type: nested gen_ai.request.frequency_penalty: @@ -8209,7 +9147,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The frequency penalty setting for the GenAI request. type: double gen_ai.request.max_tokens: @@ -8223,7 +9160,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The maximum number of tokens the model generates for a request. type: integer gen_ai.request.model: @@ -8238,7 +9174,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The name of the GenAI model a request is being made to. type: keyword gen_ai.request.presence_penalty: @@ -8252,7 +9187,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The presence penalty setting for the GenAI request. type: double gen_ai.request.seed: @@ -8266,7 +9200,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Requests with same seed value more likely to return same result. type: integer gen_ai.request.stop_sequences: @@ -8281,7 +9214,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: List of sequences that the model will use to stop generating further tokens. type: nested @@ -8296,7 +9228,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The temperature setting for the GenAI request. type: double gen_ai.request.top_k: @@ -8310,7 +9241,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The top_k sampling setting for the GenAI request. type: double gen_ai.request.top_p: @@ -8324,7 +9254,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The top_p sampling setting for the GenAI request. type: double gen_ai.response.finish_reasons: @@ -8339,7 +9268,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Array of reasons the model stopped generating tokens, corresponding to each generation received. type: nested @@ -8355,7 +9283,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The unique identifier for the completion. type: keyword gen_ai.response.model: @@ -8370,7 +9297,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The name of the model that generated the response. type: keyword gen_ai.system: @@ -8387,7 +9313,6 @@ gen_ai: otel: - attribute: gen_ai.provider.name relation: equivalent - stability: development short: The Generative AI product as identified by the client or server instrumentation. type: keyword gen_ai.token.type: @@ -8402,7 +9327,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The type of token being counted. type: keyword gen_ai.tool.call.id: @@ -8417,7 +9341,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The tool call identifier. type: keyword gen_ai.tool.name: @@ -8432,7 +9355,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Name of the tool utilized by the agent. type: keyword gen_ai.tool.type: @@ -8447,7 +9369,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: Type of the tool utilized by the agent type: keyword gen_ai.usage.input_tokens: @@ -8461,7 +9382,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The number of tokens used in the GenAI input (prompt). type: integer gen_ai.usage.output_tokens: @@ -8475,7 +9395,6 @@ gen_ai: normalize: [] otel: - relation: match - stability: development short: The number of tokens used in the GenAI response (completion). type: integer group: 2 @@ -8504,7 +9423,6 @@ geo: otel: - attribute: geo.locality.name relation: equivalent - stability: development short: City name. type: keyword geo.continent_code: @@ -8519,7 +9437,6 @@ geo: otel: - attribute: geo.continent.code relation: equivalent - stability: development short: Continent code. type: keyword geo.continent_name: @@ -8545,7 +9462,6 @@ geo: otel: - attribute: geo.country.iso_code relation: equivalent - stability: development short: Country ISO code. type: keyword geo.country_name: @@ -8570,10 +9486,8 @@ geo: otel: - attribute: geo.location.lat relation: related - stability: development - attribute: geo.location.lon relation: related - stability: development short: Longitude and latitude. type: geo_point geo.name: @@ -8607,7 +9521,6 @@ geo: normalize: [] otel: - relation: match - stability: development short: Postal code. type: keyword geo.region_iso_code: @@ -8622,7 +9535,6 @@ geo: otel: - attribute: geo.region.iso_code relation: equivalent - stability: development short: Region ISO code. type: keyword geo.region_name: @@ -8889,7 +9801,6 @@ host: otel: - attribute: host.arch relation: equivalent - stability: development short: Operating system architecture. type: keyword host.boot.id: @@ -8922,7 +9833,6 @@ host: otel: - metric: system.cpu.utilization relation: metric - stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -8937,7 +9847,6 @@ host: otel: - metric: system.disk.io relation: metric - stability: development short: The number of bytes read by all disks. type: long host.disk.write.bytes: @@ -8951,7 +9860,6 @@ host: otel: - metric: system.disk.io relation: metric - stability: development short: The number of bytes written on all disks. type: long host.domain: @@ -9206,12 +10114,21 @@ host: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -9388,7 +10305,6 @@ host: normalize: [] otel: - relation: match - stability: development short: Unique host id. type: keyword host.ip: @@ -9401,7 +10317,6 @@ host: - array otel: - relation: match - stability: development short: Host ip addresses. synthetic_source_keep: none type: ip @@ -9422,7 +10337,6 @@ host: - array otel: - relation: match - stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none @@ -9441,7 +10355,6 @@ host: normalize: [] otel: - relation: match - stability: development short: Name of the host. type: keyword host.network.egress.bytes: @@ -9455,7 +10368,6 @@ host: otel: - metric: system.network.io relation: metric - stability: development short: The number of bytes sent on all network interfaces. type: long host.network.egress.packets: @@ -9469,7 +10381,6 @@ host: otel: - metric: system.network.packet.count relation: metric - stability: development short: The number of packets sent on all network interfaces. type: long host.network.ingress.bytes: @@ -9483,7 +10394,6 @@ host: otel: - metric: system.network.io relation: metric - stability: development short: The number of bytes received on all network interfaces. type: long host.network.ingress.packets: @@ -9497,7 +10407,6 @@ host: otel: - metric: system.network.packet.count relation: metric - stability: development short: The number of packets received on all network interfaces. type: long host.os.family: @@ -9711,7 +10620,6 @@ host: normalize: [] otel: - relation: match - stability: development short: Type of host. type: keyword host.uptime: @@ -9725,7 +10633,6 @@ host: otel: - metric: system.uptime relation: metric - stability: development short: Seconds the host has been up. type: long group: 2 @@ -9768,7 +10675,6 @@ http: otel: - attribute: http.request.body.size relation: equivalent - stability: development short: Size in bytes of the request body. type: long http.request.body.content: @@ -9797,7 +10703,6 @@ http: otel: - attribute: http.request.size relation: equivalent - stability: development short: Total size in bytes of the request (body and headers). type: long http.request.id: @@ -9830,7 +10735,6 @@ http: otel: - attribute: http.request.method_original relation: equivalent - stability: stable - attribute: http.request.method note: '`http.request.method` in SemConv is the known, normalized, upper case value of the request method, other than the ECS'' `http.request.method` @@ -9838,7 +10742,6 @@ http: ' relation: conflict - stability: stable short: HTTP request method. type: keyword http.request.mime_type: @@ -9880,7 +10783,6 @@ http: otel: - attribute: http.response.body.size relation: equivalent - stability: development short: Size in bytes of the response body. type: long http.response.body.content: @@ -9909,7 +10811,6 @@ http: otel: - attribute: http.response.size relation: equivalent - stability: development short: Total size in bytes of the response (body and headers). type: long http.response.mime_type: @@ -9939,7 +10840,6 @@ http: normalize: [] otel: - relation: match - stability: stable short: HTTP response status code. type: long http.version: @@ -9954,14 +10854,12 @@ http: otel: - attribute: network.protocol.name relation: related - stability: stable - attribute: network.protocol.version note: 'In OTel SemConv, `network.protocol.version` specifies the HTTP version if the value of `network.protocol.name` is `http`. ' relation: related - stability: stable short: HTTP version. type: keyword group: 2 @@ -10051,7 +10949,6 @@ log: normalize: [] otel: - relation: match - stability: development short: Full path to the log file this event came from. type: keyword log.level: @@ -10673,7 +11570,6 @@ network: otel: - attribute: network.protocol.name relation: equivalent - stability: stable short: Application protocol name. type: keyword network.transport: @@ -10690,7 +11586,6 @@ network: normalize: [] otel: - relation: match - stability: stable short: Protocol Name corresponding to the field `iana_number`. type: keyword network.type: @@ -10707,7 +11602,6 @@ network: normalize: [] otel: - relation: match - stability: stable short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc type: keyword @@ -11620,12 +12514,21 @@ orchestrator: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: orchestrator-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -11834,7 +12737,6 @@ os: otel: - attribute: os.description relation: equivalent - stability: development short: Operating system name, including the version or code name. type: keyword os.kernel: @@ -11863,7 +12765,6 @@ os: normalize: [] otel: - relation: match - stability: development short: Operating system name, without the version. type: keyword os.platform: @@ -11903,7 +12804,6 @@ os: note: The expected values in ECS for `os.type` do not correspond with the values defined in semantic conventions! relation: conflict - stability: development short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword @@ -11918,7 +12818,6 @@ os: normalize: [] otel: - relation: match - stability: development short: Operating system version as a raw string. type: keyword group: 2 @@ -12410,7 +13309,6 @@ process: otel: - attribute: process.command_args relation: equivalent - stability: development short: Array of process arguments. type: keyword process.args_count: @@ -12427,216 +13325,723 @@ process: normalize: [] otel: - relation: match - stability: development short: Length of the process.args array. type: long - process.code_signature.digest_algorithm: - dashed_name: process-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. + process.attested_groups.domain: + dashed_name: process-attested-groups-domain + description: 'Name of the directory the group is a member of. - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.code_signature.digest_algorithm + For example, an LDAP or Active Directory domain name.' + flat_name: process.attested_groups.domain ignore_above: 1024 level: extended - name: digest_algorithm + name: domain normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword - process.code_signature.exists: - dashed_name: process-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.code_signature.flags + process.attested_groups.id: + dashed_name: process-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.attested_groups.id ignore_above: 1024 level: extended - name: flags + name: id normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.code_signature.signing_id: - dashed_name: process-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.code_signature.signing_id + process.attested_groups.name: + dashed_name: process-attested-groups-name + description: Name of the group. + flat_name: process.attested_groups.name ignore_above: 1024 level: extended - name: signing_id + name: name normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: group + short: Name of the group. type: keyword - process.code_signature.status: - dashed_name: process-code-signature-status - description: 'Additional information about the certificate status. + process.attested_user.domain: + dashed_name: process-attested-user-domain + description: 'Name of the directory the user is a member of. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.code_signature.status + For example, an LDAP or Active Directory domain name.' + flat_name: process.attested_user.domain ignore_above: 1024 level: extended - name: status + name: domain normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + original_fieldset: user + short: Name of the directory the user is a member of. type: keyword - process.code_signature.subject_name: - dashed_name: process-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.code_signature.subject_name + process.attested_user.email: + dashed_name: process-attested-user-email + description: User email address. + flat_name: process.attested_user.email ignore_above: 1024 - level: core - name: subject_name + level: extended + name: email normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: user + short: User email address. type: keyword - process.code_signature.team_id: - dashed_name: process-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.code_signature.team_id - ignore_above: 1024 + process.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.attested_user.entity.attributes level: extended - name: team_id + name: attributes normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.code_signature.thumbprint_sha256: + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.attested_user.entity.behavior: beta: This field is beta and subject to change. - dashed_name: process-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.code_signature.thumbprint_sha256 - ignore_above: 64 + dashed_name: process-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.attested_user.entity.behavior level: extended - name: thumbprint_sha256 + name: behavior normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. type: keyword - process.code_signature.timestamp: - dashed_name: process-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.code_signature.timestamp + process.attested_user.entity.id: + dashed_name: process-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.attested_user.entity.last_seen_timestamp level: extended - name: timestamp + name: last_seen_timestamp normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." type: date - process.code_signature.trusted: - dashed_name: process-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.code_signature.trusted + process.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.attested_user.entity.lifecycle level: extended - name: trusted + name: lifecycle normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.code_signature.valid: - dashed_name: process-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.code_signature.valid + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.attested_user.entity.metrics level: extended - name: valid + name: metrics normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.command_line: - dashed_name: process-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.command_line - level: extended + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.attested_user.entity.name + ignore_above: 1024 + level: core multi_fields: - - flat_name: process.command_line.text + - flat_name: process.attested_user.entity.name.text name: text type: match_only_text - name: command_line + name: name normalize: [] - otel: - - relation: match - stability: development - short: Full command line that started the process. - type: wildcard - process.elf.architecture: - dashed_name: process-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.elf.architecture - ignore_above: 1024 + original_fieldset: entity + short: The name of the entity. + type: keyword + process.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.attested_user.entity.raw level: extended - name: architecture + name: raw normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.elf.byte_order: - dashed_name: process-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.elf.byte_order + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.attested_user.entity.reference ignore_above: 1024 level: extended - name: byte_order + name: reference normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. type: keyword - process.elf.cpu_type: - dashed_name: process-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.elf.cpu_type + process.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.attested_user.entity.source ignore_above: 1024 - level: extended - name: cpu_type + level: core + name: source normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.attested_user.full_name: + dashed_name: process-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.attested_user.group.domain: + dashed_name: process-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.attested_user.group.id: + dashed_name: process-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.attested_user.group.name: + dashed_name: process-attested-user-group-name + description: Name of the group. + flat_name: process.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.attested_user.hash: + dashed_name: process-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.attested_user.id: + dashed_name: process-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.attested_user.name: + dashed_name: process-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.attested_user.risk.calculated_level: + dashed_name: process-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.attested_user.risk.calculated_score: + dashed_name: process-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.attested_user.risk.calculated_score_norm: + dashed_name: process-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.attested_user.risk.static_level: + dashed_name: process-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.attested_user.risk.static_score: + dashed_name: process-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.attested_user.risk.static_score_norm: + dashed_name: process-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.attested_user.roles: + dashed_name: process-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.code_signature.digest_algorithm: + dashed_name: process-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.code_signature.exists: + dashed_name: process-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.code_signature.timestamp: + dashed_name: process-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.code_signature.trusted: + dashed_name: process-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.code_signature.valid: + dashed_name: process-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.command_line: + dashed_name: process-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.command_line + level: extended + multi_fields: + - flat_name: process.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + otel: + - relation: match + short: Full command line that started the process. + type: wildcard + process.elf.architecture: + dashed_name: process-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.elf.byte_order: + dashed_name: process-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.elf.cpu_type: + dashed_name: process-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword process.elf.creation_date: dashed_name: process-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when @@ -13054,6 +14459,17 @@ process: normalize: [] short: The time the process ended. type: date + process.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -13104,6 +14520,30 @@ process: original_fieldset: process short: Length of the process.args array. type: long + process.entry_leader.attested_groups.domain: + dashed_name: process-entry-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.attested_groups.id: + dashed_name: process-entry-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword process.entry_leader.attested_groups.name: dashed_name: process-entry-leader-attested-groups-name description: Name of the group. @@ -13115,387 +14555,325 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.entry_leader.attested_user.id: - dashed_name: process-entry-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.attested_user.id + process.entry_leader.attested_user.domain: + dashed_name: process-entry-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.attested_user.domain ignore_above: 1024 - level: core - name: id + level: extended + name: domain normalize: [] original_fieldset: user - short: Unique identifier of the user. + short: Name of the directory the user is a member of. type: keyword - process.entry_leader.attested_user.name: - dashed_name: process-entry-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.attested_user.name + process.entry_leader.attested_user.email: + dashed_name: process-entry-leader-attested-user-email + description: User email address. + flat_name: process.entry_leader.attested_user.email ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.attested_user.name.text - name: text - type: match_only_text - name: name + level: extended + name: email normalize: [] original_fieldset: user - short: Short name or login of the user. + short: User email address. type: keyword - process.entry_leader.command_line: - dashed_name: process-entry-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.command_line + process.entry_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.attested_user.entity.attributes level: extended - multi_fields: - - flat_name: process.entry_leader.command_line.text - name: text - type: match_only_text - name: command_line + name: attributes normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.entry_leader.entity_id: - dashed_name: process-entry-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.entry_leader.entry_meta.source.ip: - dashed_name: process-entry-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.entry_leader.entry_meta.type: - dashed_name: process-entry-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.entry_meta.type - ignore_above: 1024 + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.attested_user.entity.behavior level: extended - name: entry_meta.type + name: behavior normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.entry_leader.executable: - dashed_name: process-entry-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.entry_leader.executable + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.attested_user.entity.display_name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.executable.text + - flat_name: process.entry_leader.attested_user.entity.display_name.text name: text type: match_only_text - name: executable + name: display_name normalize: [] - original_fieldset: process - short: Absolute path to the process executable. + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. type: keyword - process.entry_leader.group.id: - dashed_name: process-entry-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.group.id + process.entry_leader.attested_user.entity.id: + dashed_name: process-entry-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.attested_user.entity.id ignore_above: 1024 - level: extended + level: core name: id normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: entity + short: Unique identifier for the entity. type: keyword - process.entry_leader.group.name: - dashed_name: process-entry-leader-group-name - description: Name of the group. - flat_name: process.entry_leader.group.name - ignore_above: 1024 + process.entry_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp level: extended - name: name + name: last_seen_timestamp normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.interactive: - dashed_name: process-entry-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.entry_leader.interactive + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.attested_user.entity.lifecycle level: extended - name: interactive + name: lifecycle normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.entry_leader.name: - dashed_name: process-entry-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.entry_leader.name - ignore_above: 1024 + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.attested_user.entity.metrics level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.attested_user.entity.name + ignore_above: 1024 + level: core multi_fields: - - flat_name: process.entry_leader.name.text + - flat_name: process.entry_leader.attested_user.entity.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: process - short: Process name. + original_fieldset: entity + short: The name of the entity. type: keyword - process.entry_leader.parent.entity_id: - dashed_name: process-entry-leader-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.parent.entity_id - ignore_above: 1024 + process.entry_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.attested_user.entity.raw level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.entry_leader.parent.pid: - dashed_name: process-entry-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.pid - format: string - level: core - name: pid + name: raw normalize: [] - original_fieldset: process - short: Process id. - type: long - process.entry_leader.parent.session_leader.entity_id: - dashed_name: process-entry-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.parent.session_leader.entity_id + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.attested_user.entity.reference ignore_above: 1024 level: extended - name: entity_id + name: reference normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. type: keyword - process.entry_leader.parent.session_leader.pid: - dashed_name: process-entry-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.entry_leader.parent.session_leader.start: - dashed_name: process-entry-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.entry_leader.parent.session_leader.vpid: - dashed_name: process-entry-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.entry_leader.parent.session_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.entry_leader.parent.start: - dashed_name: process-entry-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.entry_leader.parent.vpid: - dashed_name: process-entry-leader-parent-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.entry_leader.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.entry_leader.pid: - dashed_name: process-entry-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.entry_leader.real_group.id: - dashed_name: process-entry-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.real_group.id + process.entry_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.attested_user.entity.source ignore_above: 1024 - level: extended - name: id + level: core + name: source normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: entity + short: Source module or integration that provided the entity data. type: keyword - process.entry_leader.real_group.name: - dashed_name: process-entry-leader-real-group-name - description: Name of the group. - flat_name: process.entry_leader.real_group.name + process.entry_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.attested_user.entity.sub_type ignore_above: 1024 level: extended - name: name + name: sub_type normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. type: keyword - process.entry_leader.real_user.id: - dashed_name: process-entry-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.real_user.id + process.entry_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.attested_user.entity.type ignore_above: 1024 level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. type: keyword - process.entry_leader.real_user.name: - dashed_name: process-entry-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.real_user.name + process.entry_leader.attested_user.full_name: + dashed_name: process-entry-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.attested_user.full_name ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.entry_leader.real_user.name.text + - flat_name: process.entry_leader.attested_user.full_name.text name: text type: match_only_text - name: name + name: full_name normalize: [] original_fieldset: user - short: Short name or login of the user. + short: User's full name, if available. type: keyword - process.entry_leader.same_as_process: - dashed_name: process-entry-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` + process.entry_leader.attested_user.group.domain: + dashed_name: process-entry-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.same_as_process + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.attested_user.group.domain + ignore_above: 1024 level: extended - name: same_as_process + name: domain normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.entry_leader.saved_group.id: - dashed_name: process-entry-leader-saved-group-id + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.attested_user.group.id: + dashed_name: process-entry-leader-attested-user-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.saved_group.id + flat_name: process.entry_leader.attested_user.group.id ignore_above: 1024 level: extended name: id @@ -13503,10 +14881,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.saved_group.name: - dashed_name: process-entry-leader-saved-group-name + process.entry_leader.attested_user.group.name: + dashed_name: process-entry-leader-attested-user-group-name description: Name of the group. - flat_name: process.entry_leader.saved_group.name + flat_name: process.entry_leader.attested_user.group.name ignore_above: 1024 level: extended name: name @@ -13514,11 +14892,26 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.entry_leader.saved_user.id: - dashed_name: process-entry-leader-saved-user-id + process.entry_leader.attested_user.hash: + dashed_name: process-entry-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.attested_user.id: + dashed_name: process-entry-leader-attested-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.saved_user.id + flat_name: process.entry_leader.attested_user.id ignore_above: 1024 level: core name: id @@ -13526,15 +14919,15 @@ process: original_fieldset: user short: Unique identifier of the user. type: keyword - process.entry_leader.saved_user.name: - dashed_name: process-entry-leader-saved-user-name + process.entry_leader.attested_user.name: + dashed_name: process-entry-leader-attested-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.entry_leader.saved_user.name + flat_name: process.entry_leader.attested_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.entry_leader.saved_user.name.text + - flat_name: process.entry_leader.attested_user.name.text name: text type: match_only_text name: name @@ -13542,250 +14935,262 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.entry_leader.start: - dashed_name: process-entry-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.entry_leader.supplemental_groups.id: - dashed_name: process-entry-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.supplemental_groups.id + process.entry_leader.attested_user.risk.calculated_level: + dashed_name: process-entry-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.attested_user.risk.calculated_level ignore_above: 1024 level: extended - name: id + name: calculated_level normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. type: keyword - process.entry_leader.supplemental_groups.name: - dashed_name: process-entry-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.supplemental_groups.name - ignore_above: 1024 + process.entry_leader.attested_user.risk.calculated_score: + dashed_name: process-entry-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.attested_user.risk.calculated_score level: extended - name: name + name: calculated_score normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.tty: - dashed_name: process-entry-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.entry_leader.tty + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.attested_user.risk.calculated_score_norm level: extended - name: tty + name: calculated_score_norm normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.entry_leader.tty.char_device.major: - dashed_name: process-entry-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.tty.char_device.major + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.attested_user.risk.static_level: + dashed_name: process-entry-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.attested_user.risk.static_level + ignore_above: 1024 level: extended - name: tty.char_device.major + name: static_level normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.entry_leader.tty.char_device.minor: - dashed_name: process-entry-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.tty.char_device.minor + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.attested_user.risk.static_score: + dashed_name: process-entry-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.attested_user.risk.static_score level: extended - name: tty.char_device.minor + name: static_score normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.entry_leader.user.id: - dashed_name: process-entry-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.user.id - ignore_above: 1024 - level: core - name: id + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.attested_user.risk.static_score_norm: + dashed_name: process-entry-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.attested_user.roles: + dashed_name: process-entry-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array original_fieldset: user - short: Unique identifier of the user. + short: Array of user roles at the time of the event. + synthetic_source_keep: none type: keyword - process.entry_leader.user.name: - dashed_name: process-entry-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.user.name + process.entry_leader.code_signature.digest_algorithm: + dashed_name: process-entry-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.entry_leader.code_signature.digest_algorithm ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.user.name.text - name: text - type: match_only_text - name: name + level: extended + name: digest_algorithm normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. type: keyword - process.entry_leader.vpid: - dashed_name: process-entry-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.entry_leader.vpid - format: string + process.entry_leader.code_signature.exists: + dashed_name: process-entry-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.entry_leader.code_signature.exists level: core - name: vpid + name: exists normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.entry_leader.working_directory: - dashed_name: process-entry-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.working_directory + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.entry_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.entry_leader.code_signature.flags ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.entry_leader.working_directory.text - name: text - type: match_only_text - name: working_directory + name: flags normalize: [] - original_fieldset: process - short: The working directory of the process. + original_fieldset: code_signature + short: Code signing flags of the process type: keyword - process.env_vars: - dashed_name: process-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. + process.entry_leader.code_signature.signing_id: + dashed_name: process-entry-leader-code-signature-signing-id + description: 'The identifier used to sign the process. - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.env_vars + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.entry_leader.code_signature.signing_id ignore_above: 1024 level: extended - name: env_vars - normalize: - - array - short: Array of environment variable bindings. - synthetic_source_keep: none + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword - process.executable: - dashed_name: process-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.executable + process.entry_leader.code_signature.status: + dashed_name: process-entry-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.entry_leader.code_signature.status ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.executable.text - name: text - type: match_only_text - name: executable + name: status normalize: [] - otel: - - attribute: process.executable.path - relation: equivalent - stability: development - short: Absolute path to the process executable. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - process.exit_code: - dashed_name: process-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.exit_code - level: extended - name: exit_code + process.entry_leader.code_signature.subject_name: + dashed_name: process-entry-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.entry_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name normalize: [] - short: The exit code of the process. - type: long - process.group.id: - dashed_name: process-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group.id + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.entry_leader.code_signature.team_id: + dashed_name: process-entry-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.entry_leader.code_signature.team_id ignore_above: 1024 level: extended - name: id + name: team_id normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - process.group.name: - dashed_name: process-group-name - description: Name of the group. - flat_name: process.group.name - ignore_above: 1024 + process.entry_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.entry_leader.code_signature.thumbprint_sha256 + ignore_above: 64 level: extended - name: name + name: thumbprint_sha256 normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. type: keyword - process.group_leader.args: - dashed_name: process-group-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. + process.entry_leader.code_signature.timestamp: + dashed_name: process-entry-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.entry_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.entry_leader.code_signature.trusted: + dashed_name: process-entry-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.group_leader.args - ignore_above: 1024 + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.entry_leader.code_signature.trusted level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.group_leader.args_count: - dashed_name: process-group-leader-args-count - description: 'Length of the process.args array. + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.entry_leader.code_signature.valid: + dashed_name: process-entry-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.group_leader.args_count + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.entry_leader.code_signature.valid level: extended - name: args_count + name: valid normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.group_leader.command_line: - dashed_name: process-group-leader-command-line + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.entry_leader.command_line: + dashed_name: process-entry-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.group_leader.command_line + flat_name: process.entry_leader.command_line level: extended multi_fields: - - flat_name: process.group_leader.command_line.text + - flat_name: process.entry_leader.command_line.text name: text type: match_only_text name: command_line @@ -13793,551 +15198,1106 @@ process: original_fieldset: process short: Full command line that started the process. type: wildcard - process.group_leader.entity_id: - dashed_name: process-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.group_leader.entity_id + process.entry_leader.elf.architecture: + dashed_name: process-entry-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.entry_leader.elf.architecture ignore_above: 1024 level: extended - name: entity_id + name: architecture normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword - process.group_leader.executable: - dashed_name: process-group-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.group_leader.executable + process.entry_leader.elf.byte_order: + dashed_name: process-entry-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.entry_leader.elf.byte_order ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.group_leader.executable.text - name: text - type: match_only_text - name: executable + name: byte_order normalize: [] - original_fieldset: process - short: Absolute path to the process executable. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword - process.group_leader.group.id: - dashed_name: process-group-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.group.id + process.entry_leader.elf.cpu_type: + dashed_name: process-entry-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.entry_leader.elf.cpu_type ignore_above: 1024 level: extended - name: id + name: cpu_type normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword - process.group_leader.group.name: - dashed_name: process-group-leader-group-name - description: Name of the group. - flat_name: process.group_leader.group.name - ignore_above: 1024 + process.entry_leader.elf.creation_date: + dashed_name: process-entry-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.entry_leader.elf.creation_date level: extended - name: name + name: creation_date normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.interactive: - dashed_name: process-group-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.group_leader.interactive + original_fieldset: elf + short: Build or compile date. + type: date + process.entry_leader.elf.exports: + dashed_name: process-entry-leader-elf-exports + description: List of exported element names and types. + flat_name: process.entry_leader.elf.exports level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.group_leader.name: - dashed_name: process-group-leader-name - description: 'Process name. + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.entry_leader.elf.go_import_hash: + dashed_name: process-entry-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. - Sometimes called program name or similar.' - example: ssh - flat_name: process.group_leader.name + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.elf.go_import_hash ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.group_leader.name.text - name: text - type: match_only_text - name: name + name: go_import_hash normalize: [] - original_fieldset: process - short: Process name. + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. type: keyword - process.group_leader.pid: - dashed_name: process-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.group_leader.pid - format: string - level: core - name: pid + process.entry_leader.elf.go_imports: + dashed_name: process-entry-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.elf.go_imports + level: extended + name: go_imports normalize: [] - original_fieldset: process - otel: - - relation: match - stability: development - short: Process id. + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.elf.go_imports_names_entropy: + dashed_name: process-entry-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. type: long - process.group_leader.real_group.id: - dashed_name: process-group-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.real_group.id + process.entry_leader.elf.go_imports_names_var_entropy: + dashed_name: process-entry-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.elf.go_stripped: + dashed_name: process-entry-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.elf.header.abi_version: + dashed_name: process-entry-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.entry_leader.elf.header.abi_version ignore_above: 1024 level: extended - name: id + name: header.abi_version normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword - process.group_leader.real_group.name: - dashed_name: process-group-leader-real-group-name - description: Name of the group. - flat_name: process.group_leader.real_group.name + process.entry_leader.elf.header.class: + dashed_name: process-entry-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.entry_leader.elf.header.class ignore_above: 1024 level: extended - name: name + name: header.class normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: elf + short: Header class of the ELF file. type: keyword - process.group_leader.real_user.id: - dashed_name: process-group-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.real_user.id + process.entry_leader.elf.header.data: + dashed_name: process-entry-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.entry_leader.elf.header.data ignore_above: 1024 - level: core - name: id + level: extended + name: header.data normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: elf + short: Data table of the ELF header. type: keyword - process.group_leader.real_user.name: - dashed_name: process-group-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.group_leader.same_as_process: - dashed_name: process-group-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.group_leader.same_as_process + process.entry_leader.elf.header.entrypoint: + dashed_name: process-entry-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.entry_leader.elf.header.entrypoint + format: string level: extended - name: same_as_process + name: header.entrypoint normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.group_leader.saved_group.id: - dashed_name: process-group-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.saved_group.id + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.entry_leader.elf.header.object_version: + dashed_name: process-entry-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.entry_leader.elf.header.object_version ignore_above: 1024 level: extended - name: id + name: header.object_version normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword - process.group_leader.saved_group.name: - dashed_name: process-group-leader-saved-group-name - description: Name of the group. - flat_name: process.group_leader.saved_group.name + process.entry_leader.elf.header.os_abi: + dashed_name: process-entry-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.entry_leader.elf.header.os_abi ignore_above: 1024 level: extended - name: name + name: header.os_abi normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword - process.group_leader.saved_user.id: - dashed_name: process-group-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.saved_user.id + process.entry_leader.elf.header.type: + dashed_name: process-entry-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.entry_leader.elf.header.type ignore_above: 1024 - level: core - name: id + level: extended + name: header.type normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: elf + short: Header type of the ELF file. type: keyword - process.group_leader.saved_user.name: - dashed_name: process-group-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.saved_user.name + process.entry_leader.elf.header.version: + dashed_name: process-entry-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.entry_leader.elf.header.version ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.group_leader.start: - dashed_name: process-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.group_leader.start level: extended - name: start + name: header.version normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.group_leader.supplemental_groups.id: - dashed_name: process-group-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.supplemental_groups.id + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.entry_leader.elf.import_hash: + dashed_name: process-entry-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.elf.import_hash ignore_above: 1024 level: extended - name: id + name: import_hash normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: elf + short: A hash of the imports in an ELF file. type: keyword - process.group_leader.supplemental_groups.name: - dashed_name: process-group-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.group_leader.supplemental_groups.name - ignore_above: 1024 + process.entry_leader.elf.imports: + dashed_name: process-entry-leader-elf-imports + description: List of imported element names and types. + flat_name: process.entry_leader.elf.imports level: extended - name: name + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.entry_leader.elf.imports_names_entropy: + dashed_name: process-entry-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.tty: - dashed_name: process-group-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.group_leader.tty + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.elf.imports_names_var_entropy: + dashed_name: process-entry-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.elf.imports_names_var_entropy + format: number level: extended - name: tty + name: imports_names_var_entropy normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.group_leader.tty.char_device.major: - dashed_name: process-group-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.group_leader.tty.char_device.major + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.elf.sections: + dashed_name: process-entry-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.entry_leader.elf.sections level: extended - name: tty.char_device.major + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.entry_leader.elf.sections.chi2: + dashed_name: process-entry-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.entry_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 normalize: [] - original_fieldset: process - short: The TTY character device's major number. + original_fieldset: elf + short: Chi-square probability distribution of the section. type: long - process.group_leader.tty.char_device.minor: - dashed_name: process-group-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.group_leader.tty.char_device.minor + process.entry_leader.elf.sections.entropy: + dashed_name: process-entry-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.elf.sections.entropy + format: number level: extended - name: tty.char_device.minor + name: sections.entropy normalize: [] - original_fieldset: process - short: The TTY character device's minor number. + original_fieldset: elf + short: Shannon entropy calculation from the section. type: long - process.group_leader.user.id: - dashed_name: process-group-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.user.id + process.entry_leader.elf.sections.flags: + dashed_name: process-entry-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.entry_leader.elf.sections.flags ignore_above: 1024 - level: core - name: id + level: extended + name: sections.flags normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: elf + short: ELF Section List flags. type: keyword - process.group_leader.user.name: - dashed_name: process-group-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.user.name + process.entry_leader.elf.sections.name: + dashed_name: process-entry-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.entry_leader.elf.sections.name ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.user.name.text - name: text - type: match_only_text - name: name + level: extended + name: sections.name normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: elf + short: ELF Section List name. type: keyword - process.group_leader.vpid: - dashed_name: process-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.group_leader.working_directory: - dashed_name: process-group-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.group_leader.working_directory + process.entry_leader.elf.sections.physical_offset: + dashed_name: process-entry-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.entry_leader.elf.sections.physical_offset ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.group_leader.working_directory.text - name: text - type: match_only_text - name: working_directory + name: sections.physical_offset normalize: [] - original_fieldset: process - short: The working directory of the process. + original_fieldset: elf + short: ELF Section List offset. type: keyword - process.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.hash.cdhash - ignore_above: 1024 + process.entry_leader.elf.sections.physical_size: + dashed_name: process-entry-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.entry_leader.elf.sections.physical_size + format: bytes level: extended - name: cdhash + name: sections.physical_size normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.hash.md5: - dashed_name: process-hash-md5 - description: MD5 hash. - flat_name: process.hash.md5 + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.entry_leader.elf.sections.type: + dashed_name: process-entry-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.entry_leader.elf.sections.type ignore_above: 1024 level: extended - name: md5 + name: sections.type normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: elf + short: ELF Section List type. type: keyword - process.hash.sha1: - dashed_name: process-hash-sha1 - description: SHA1 hash. - flat_name: process.hash.sha1 - ignore_above: 1024 + process.entry_leader.elf.sections.var_entropy: + dashed_name: process-entry-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.elf.sections.var_entropy + format: number level: extended - name: sha1 + name: sections.var_entropy normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.hash.sha256: - dashed_name: process-hash-sha256 - description: SHA256 hash. - flat_name: process.hash.sha256 - ignore_above: 1024 + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.elf.sections.virtual_address: + dashed_name: process-entry-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.entry_leader.elf.sections.virtual_address + format: string level: extended - name: sha256 + name: sections.virtual_address normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.hash.sha384: - dashed_name: process-hash-sha384 - description: SHA384 hash. - flat_name: process.hash.sha384 + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.entry_leader.elf.sections.virtual_size: + dashed_name: process-entry-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.entry_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.entry_leader.elf.segments: + dashed_name: process-entry-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.entry_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.entry_leader.elf.segments.sections: + dashed_name: process-entry-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.entry_leader.elf.segments.sections ignore_above: 1024 level: extended - name: sha384 + name: segments.sections normalize: [] - original_fieldset: hash - short: SHA384 hash. + original_fieldset: elf + short: ELF object segment sections. type: keyword - process.hash.sha512: - dashed_name: process-hash-sha512 - description: SHA512 hash. - flat_name: process.hash.sha512 + process.entry_leader.elf.segments.type: + dashed_name: process-entry-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.entry_leader.elf.segments.type ignore_above: 1024 level: extended - name: sha512 + name: segments.type normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: elf + short: ELF object segment type. type: keyword - process.hash.ssdeep: - dashed_name: process-hash-ssdeep - description: SSDEEP hash. - flat_name: process.hash.ssdeep + process.entry_leader.elf.shared_libraries: + dashed_name: process-entry-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.entry_leader.elf.shared_libraries ignore_above: 1024 level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword - process.hash.tlsh: - dashed_name: process-hash-tlsh - description: TLSH hash. - flat_name: process.hash.tlsh + process.entry_leader.elf.telfhash: + dashed_name: process-entry-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.entry_leader.elf.telfhash ignore_above: 1024 level: extended - name: tlsh + name: telfhash normalize: [] - original_fieldset: hash - short: TLSH hash. + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword - process.interactive: - dashed_name: process-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.interactive + process.entry_leader.end: + dashed_name: process-entry-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.end level: extended - name: interactive + name: end normalize: [] - otel: - - relation: match - stability: development - short: Whether the process is connected to an interactive shell. + original_fieldset: process + short: The time the process ended. + type: date + process.entry_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.entry_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. type: boolean - process.io: - dashed_name: process-io - description: 'A chunk of input or output (IO) from a single process. + process.entry_leader.entity_id: + dashed_name: process-entry-leader-entity-id + description: 'Unique identifier for the process. - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.io + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.entity_id + ignore_above: 1024 level: extended - name: io + name: entity_id normalize: [] - short: A chunk of input or output (IO) from a single process. - type: object - process.io.bytes_skipped: - dashed_name: process-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.io.bytes_skipped.length: - dashed_name: process-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.io.bytes_skipped.length + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.entry_leader.entry_meta.source.address: + dashed_name: process-entry-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.entry_leader.entry_meta.source.address + ignore_above: 1024 level: extended - name: io.bytes_skipped.length + name: address normalize: [] - short: The length of bytes skipped. - type: long - process.io.bytes_skipped.offset: - dashed_name: process-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.io.bytes_skipped.offset + original_fieldset: source + short: Source network address. + type: keyword + process.entry_leader.entry_meta.source.as.number: + dashed_name: process-entry-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_leader.entry_meta.source.as.number level: extended - name: io.bytes_skipped.offset + name: number normalize: [] - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. + original_fieldset: as + short: Unique number allocated to the autonomous system. type: long - process.io.max_bytes_per_process_exceeded: - dashed_name: process-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.io.max_bytes_per_process_exceeded + process.entry_leader.entry_meta.source.as.organization.name: + dashed_name: process-entry-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_leader.entry_meta.source.as.organization.name + ignore_above: 1024 level: extended - name: io.max_bytes_per_process_exceeded + multi_fields: + - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name normalize: [] - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.io.text: - dashed_name: process-io-text + original_fieldset: as + short: Organization name. + type: keyword + process.entry_leader.entry_meta.source.bytes: + dashed_name: process-entry-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.entry_leader.entry_meta.source.domain: + dashed_name: process-entry-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.entry_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.entry_leader.entry_meta.source.geo.city_name: + dashed_name: process-entry-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.entry_leader.entry_meta.source.geo.continent_code: + dashed_name: process-entry-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.entry_leader.entry_meta.source.geo.continent_name: + dashed_name: process-entry-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.entry_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.entry_leader.entry_meta.source.geo.country_name: + dashed_name: process-entry-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.entry_leader.entry_meta.source.geo.location: + dashed_name: process-entry-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.entry_leader.entry_meta.source.geo.name: + dashed_name: process-entry-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.entry_leader.entry_meta.source.geo.postal_code: + dashed_name: process-entry-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.entry_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.entry_leader.entry_meta.source.geo.region_name: + dashed_name: process-entry-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.entry_leader.entry_meta.source.geo.timezone: + dashed_name: process-entry-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.entry_leader.entry_meta.source.ip: + dashed_name: process-entry-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.entry_leader.entry_meta.source.mac: + dashed_name: process-entry-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.entry_leader.entry_meta.source.nat.ip: + dashed_name: process-entry-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.entry_leader.entry_meta.source.nat.port: + dashed_name: process-entry-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.entry_leader.entry_meta.source.packets: + dashed_name: process-entry-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.entry_leader.entry_meta.source.port: + dashed_name: process-entry-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.entry_leader.entry_meta.source.registered_domain: + dashed_name: process-entry-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.entry_leader.entry_meta.source.subdomain: + dashed_name: process-entry-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.entry_leader.entry_meta.source.top_level_domain: + dashed_name: process-entry-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.entry_leader.entry_meta.type: + dashed_name: process-entry-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.entry_leader.env_vars: + dashed_name: process-entry-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.entry_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.entry_leader.executable: + dashed_name: process-entry-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.entry_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.entry_leader.exit_code: + dashed_name: process-entry-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.entry_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.entry_leader.group.domain: + dashed_name: process-entry-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.group.id: + dashed_name: process-entry-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.group.name: + dashed_name: process-entry-leader-group-name + description: Name of the group. + flat_name: process.entry_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.entry_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.entry_leader.hash.md5: + dashed_name: process-entry-leader-hash-md5 + description: MD5 hash. + flat_name: process.entry_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.entry_leader.hash.sha1: + dashed_name: process-entry-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.entry_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.entry_leader.hash.sha256: + dashed_name: process-entry-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.entry_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.entry_leader.hash.sha384: + dashed_name: process-entry-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.entry_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.entry_leader.hash.sha512: + dashed_name: process-entry-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.entry_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.entry_leader.hash.ssdeep: + dashed_name: process-entry-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.entry_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.entry_leader.hash.tlsh: + dashed_name: process-entry-leader-hash-tlsh + description: TLSH hash. + flat_name: process.entry_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.entry_leader.interactive: + dashed_name: process-entry-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.entry_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.entry_leader.io: + dashed_name: process-entry-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.entry_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.entry_leader.io.bytes_skipped: + dashed_name: process-entry-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.entry_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.entry_leader.io.bytes_skipped.length: + dashed_name: process-entry-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.entry_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.entry_leader.io.bytes_skipped.offset: + dashed_name: process-entry-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.entry_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.entry_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.entry_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.entry_leader.io.text: + dashed_name: process-entry-leader-io-text description: 'A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. @@ -14345,49 +16305,53 @@ process: event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.io.text + flat_name: process.entry_leader.io.text level: extended name: io.text normalize: [] + original_fieldset: process short: A chunk of output or input sanitized to UTF-8. type: wildcard - process.io.total_bytes_captured: - dashed_name: process-io-total-bytes-captured + process.entry_leader.io.total_bytes_captured: + dashed_name: process-entry-leader-io-total-bytes-captured description: The total number of bytes captured in this event. - flat_name: process.io.total_bytes_captured + flat_name: process.entry_leader.io.total_bytes_captured level: extended name: io.total_bytes_captured normalize: [] + original_fieldset: process short: The total number of bytes captured in this event. type: long - process.io.total_bytes_skipped: - dashed_name: process-io-total-bytes-skipped + process.entry_leader.io.total_bytes_skipped: + dashed_name: process-entry-leader-io-total-bytes-skipped description: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero - flat_name: process.io.total_bytes_skipped + flat_name: process.entry_leader.io.total_bytes_skipped level: extended name: io.total_bytes_skipped normalize: [] + original_fieldset: process short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. type: long - process.io.type: - dashed_name: process-io-type + process.entry_leader.io.type: + dashed_name: process-entry-leader-io-type description: 'The type of object on which the IO action (read or write) was taken. Currently only ''tty'' is supported. Other types may be added in the future for ''file'' and ''socket'' support.' - flat_name: process.io.type + flat_name: process.entry_leader.io.type ignore_above: 1024 level: extended name: io.type normalize: [] + original_fieldset: process short: The type of object on which the IO action (read or write) was taken. type: keyword - process.macho.go_import_hash: - dashed_name: process-macho-go-import-hash + process.entry_leader.macho.go_import_hash: + dashed_name: process-entry-leader-macho-go-import-hash description: 'A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -14396,7 +16360,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.macho.go_import_hash + flat_name: process.entry_leader.macho.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -14404,20 +16368,20 @@ process: original_fieldset: macho short: A hash of the Go language imports in a Mach-O file. type: keyword - process.macho.go_imports: - dashed_name: process-macho-go-imports + process.entry_leader.macho.go_imports: + dashed_name: process-entry-leader-macho-go-imports description: List of imported Go language element names and types. - flat_name: process.macho.go_imports + flat_name: process.entry_leader.macho.go_imports level: extended name: go_imports normalize: [] original_fieldset: macho short: List of imported Go language element names and types. type: flattened - process.macho.go_imports_names_entropy: - dashed_name: process-macho-go-imports-names-entropy + process.entry_leader.macho.go_imports_names_entropy: + dashed_name: process-entry-leader-macho-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_entropy + flat_name: process.entry_leader.macho.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -14425,10 +16389,10 @@ process: original_fieldset: macho short: Shannon entropy calculation from the list of Go imports. type: long - process.macho.go_imports_names_var_entropy: - dashed_name: process-macho-go-imports-names-var-entropy + process.entry_leader.macho.go_imports_names_var_entropy: + dashed_name: process-entry-leader-macho-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_var_entropy + flat_name: process.entry_leader.macho.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -14436,26 +16400,26 @@ process: original_fieldset: macho short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.macho.go_stripped: - dashed_name: process-macho-go-stripped + process.entry_leader.macho.go_stripped: + dashed_name: process-entry-leader-macho-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.macho.go_stripped + flat_name: process.entry_leader.macho.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: macho short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.macho.import_hash: - dashed_name: process-macho-import-hash + process.entry_leader.macho.import_hash: + dashed_name: process-entry-leader-macho-import-hash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.macho.import_hash + flat_name: process.entry_leader.macho.import_hash ignore_above: 1024 level: extended name: import_hash @@ -14463,10 +16427,10 @@ process: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword - process.macho.imports: - dashed_name: process-macho-imports + process.entry_leader.macho.imports: + dashed_name: process-entry-leader-macho-imports description: List of imported element names and types. - flat_name: process.macho.imports + flat_name: process.entry_leader.macho.imports level: extended name: imports normalize: @@ -14474,11 +16438,11 @@ process: original_fieldset: macho short: List of imported element names and types. type: flattened - process.macho.imports_names_entropy: - dashed_name: process-macho-imports-names-entropy + process.entry_leader.macho.imports_names_entropy: + dashed_name: process-entry-leader-macho-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.macho.imports_names_entropy + flat_name: process.entry_leader.macho.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -14487,11 +16451,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.macho.imports_names_var_entropy: - dashed_name: process-macho-imports-names-var-entropy + process.entry_leader.macho.imports_names_var_entropy: + dashed_name: process-entry-leader-macho-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.macho.imports_names_var_entropy + flat_name: process.entry_leader.macho.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -14500,13 +16464,13 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.macho.sections: - dashed_name: process-macho-sections + process.entry_leader.macho.sections: + dashed_name: process-entry-leader-macho-sections description: 'An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.' - flat_name: process.macho.sections + flat_name: process.entry_leader.macho.sections level: extended name: sections normalize: @@ -14514,10 +16478,10 @@ process: original_fieldset: macho short: Section information of the Mach-O file. type: nested - process.macho.sections.entropy: - dashed_name: process-macho-sections-entropy + process.entry_leader.macho.sections.entropy: + dashed_name: process-entry-leader-macho-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.macho.sections.entropy + flat_name: process.entry_leader.macho.sections.entropy format: number level: extended name: sections.entropy @@ -14525,10 +16489,10 @@ process: original_fieldset: macho short: Shannon entropy calculation from the section. type: long - process.macho.sections.name: - dashed_name: process-macho-sections-name + process.entry_leader.macho.sections.name: + dashed_name: process-entry-leader-macho-sections-name description: Mach-O Section List name. - flat_name: process.macho.sections.name + flat_name: process.entry_leader.macho.sections.name ignore_above: 1024 level: extended name: sections.name @@ -14536,10 +16500,10 @@ process: original_fieldset: macho short: Mach-O Section List name. type: keyword - process.macho.sections.physical_size: - dashed_name: process-macho-sections-physical-size + process.entry_leader.macho.sections.physical_size: + dashed_name: process-entry-leader-macho-sections-physical-size description: Mach-O Section List physical size. - flat_name: process.macho.sections.physical_size + flat_name: process.entry_leader.macho.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -14547,10 +16511,10 @@ process: original_fieldset: macho short: Mach-O Section List physical size. type: long - process.macho.sections.var_entropy: - dashed_name: process-macho-sections-var-entropy + process.entry_leader.macho.sections.var_entropy: + dashed_name: process-entry-leader-macho-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.macho.sections.var_entropy + flat_name: process.entry_leader.macho.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -14558,10 +16522,10 @@ process: original_fieldset: macho short: Variance for Shannon entropy calculation from the section. type: long - process.macho.sections.virtual_size: - dashed_name: process-macho-sections-virtual-size + process.entry_leader.macho.sections.virtual_size: + dashed_name: process-entry-leader-macho-sections-virtual-size description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.macho.sections.virtual_size + flat_name: process.entry_leader.macho.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -14569,15 +16533,15 @@ process: original_fieldset: macho short: Mach-O Section List virtual size. This is always the same as `physical_size`. type: long - process.macho.symhash: - dashed_name: process-macho-symhash + process.entry_leader.macho.symhash: + dashed_name: process-entry-leader-macho-symhash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash' example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.macho.symhash + flat_name: process.entry_leader.macho.symhash ignore_above: 1024 level: extended name: symhash @@ -14585,31 +16549,59 @@ process: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword - process.name: - dashed_name: process-name + process.entry_leader.name: + dashed_name: process-entry-leader-name description: 'Process name. Sometimes called program name or similar.' example: ssh - flat_name: process.name + flat_name: process.entry_leader.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.name.text + - flat_name: process.entry_leader.name.text name: text type: match_only_text name: name normalize: [] + original_fieldset: process short: Process name. type: keyword - process.parent.args: - dashed_name: process-parent-args + process.entry_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.entry_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.entry_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.entry_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.entry_leader.parent.args: + dashed_name: process-entry-leader-parent-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.parent.args + flat_name: process.entry_leader.parent.args ignore_above: 1024 level: extended name: args @@ -14618,29 +16610,538 @@ process: original_fieldset: process short: Array of process arguments. type: keyword - process.parent.args_count: - dashed_name: process-parent-args-count + process.entry_leader.parent.args_count: + dashed_name: process-entry-leader-parent-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 - flat_name: process.parent.args_count + flat_name: process.entry_leader.parent.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long - process.parent.code_signature.digest_algorithm: - dashed_name: process-parent-code-signature-digest-algorithm + process.entry_leader.parent.attested_groups.domain: + dashed_name: process-entry-leader-parent-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.attested_groups.id: + dashed_name: process-entry-leader-parent-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.attested_groups.name: + dashed_name: process-entry-leader-parent-attested-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.attested_user.domain: + dashed_name: process-entry-leader-parent-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.attested_user.email: + dashed_name: process-entry-leader-parent-attested-user-email + description: User email address. + flat_name: process.entry_leader.parent.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.attested_user.entity.id: + dashed_name: process-entry-leader-parent-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.attested_user.full_name: + dashed_name: process-entry-leader-parent-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.attested_user.group.domain: + dashed_name: process-entry-leader-parent-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.attested_user.group.id: + dashed_name: process-entry-leader-parent-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.attested_user.group.name: + dashed_name: process-entry-leader-parent-attested-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.attested_user.hash: + dashed_name: process-entry-leader-parent-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.attested_user.id: + dashed_name: process-entry-leader-parent-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.attested_user.name: + dashed_name: process-entry-leader-parent-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.attested_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.attested_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.attested_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.attested_user.risk.static_level: + dashed_name: process-entry-leader-parent-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.attested_user.risk.static_score: + dashed_name: process-entry-leader-parent-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.attested_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.attested_user.roles: + dashed_name: process-entry-leader-parent-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.code_signature.digest_algorithm: + dashed_name: process-entry-leader-parent-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.' example: sha256 - flat_name: process.parent.code_signature.digest_algorithm + flat_name: process.entry_leader.parent.code_signature.digest_algorithm ignore_above: 1024 level: extended name: digest_algorithm @@ -14648,23 +17149,23 @@ process: original_fieldset: code_signature short: Hashing algorithm used to sign the process. type: keyword - process.parent.code_signature.exists: - dashed_name: process-parent-code-signature-exists + process.entry_leader.parent.code_signature.exists: + dashed_name: process-entry-leader-parent-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: process.parent.code_signature.exists + flat_name: process.entry_leader.parent.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean - process.parent.code_signature.flags: + process.entry_leader.parent.code_signature.flags: beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-flags + dashed_name: process-entry-leader-parent-code-signature-flags description: The flags used to sign the process. example: 570522385 - flat_name: process.parent.code_signature.flags + flat_name: process.entry_leader.parent.code_signature.flags ignore_above: 1024 level: extended name: flags @@ -14672,14 +17173,14 @@ process: original_fieldset: code_signature short: Code signing flags of the process type: keyword - process.parent.code_signature.signing_id: - dashed_name: process-parent-code-signature-signing-id + process.entry_leader.parent.code_signature.signing_id: + dashed_name: process-entry-leader-parent-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: process.parent.code_signature.signing_id + flat_name: process.entry_leader.parent.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -14687,15 +17188,15 @@ process: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword - process.parent.code_signature.status: - dashed_name: process-parent-code-signature-status + process.entry_leader.parent.code_signature.status: + dashed_name: process-entry-leader-parent-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: process.parent.code_signature.status + flat_name: process.entry_leader.parent.code_signature.status ignore_above: 1024 level: extended name: status @@ -14703,11 +17204,11 @@ process: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword - process.parent.code_signature.subject_name: - dashed_name: process-parent-code-signature-subject-name + process.entry_leader.parent.code_signature.subject_name: + dashed_name: process-entry-leader-parent-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: process.parent.code_signature.subject_name + flat_name: process.entry_leader.parent.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -14715,14 +17216,14 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword - process.parent.code_signature.team_id: - dashed_name: process-parent-code-signature-team-id + process.entry_leader.parent.code_signature.team_id: + dashed_name: process-entry-leader-parent-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: process.parent.code_signature.team_id + flat_name: process.entry_leader.parent.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -14730,12 +17231,12 @@ process: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword - process.parent.code_signature.thumbprint_sha256: + process.entry_leader.parent.code_signature.thumbprint_sha256: beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-thumbprint-sha256 + dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256 description: Certificate SHA256 hash that uniquely identifies the code signer. example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.parent.code_signature.thumbprint_sha256 + flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256 ignore_above: 64 level: extended name: thumbprint_sha256 @@ -14744,39 +17245,39 @@ process: pattern: ^[0-9a-f]{64}$ short: SHA256 hash of the certificate. type: keyword - process.parent.code_signature.timestamp: - dashed_name: process-parent-code-signature-timestamp + process.entry_leader.parent.code_signature.timestamp: + dashed_name: process-entry-leader-parent-code-signature-timestamp description: Date and time when the code signature was generated and signed. example: '2021-01-01T12:10:30Z' - flat_name: process.parent.code_signature.timestamp + flat_name: process.entry_leader.parent.code_signature.timestamp level: extended name: timestamp normalize: [] original_fieldset: code_signature short: When the signature was generated and signed. type: date - process.parent.code_signature.trusted: - dashed_name: process-parent-code-signature-trusted + process.entry_leader.parent.code_signature.trusted: + dashed_name: process-entry-leader-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: process.parent.code_signature.trusted + flat_name: process.entry_leader.parent.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean - process.parent.code_signature.valid: - dashed_name: process-parent-code-signature-valid + process.entry_leader.parent.code_signature.valid: + dashed_name: process-entry-leader-parent-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: process.parent.code_signature.valid + flat_name: process.entry_leader.parent.code_signature.valid level: extended name: valid normalize: [] @@ -14784,17 +17285,17 @@ process: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean - process.parent.command_line: - dashed_name: process-parent-command-line + process.entry_leader.parent.command_line: + dashed_name: process-entry-leader-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.parent.command_line + flat_name: process.entry_leader.parent.command_line level: extended multi_fields: - - flat_name: process.parent.command_line.text + - flat_name: process.entry_leader.parent.command_line.text name: text type: match_only_text name: command_line @@ -14802,11 +17303,11 @@ process: original_fieldset: process short: Full command line that started the process. type: wildcard - process.parent.elf.architecture: - dashed_name: process-parent-elf-architecture + process.entry_leader.parent.elf.architecture: + dashed_name: process-entry-leader-parent-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: process.parent.elf.architecture + flat_name: process.entry_leader.parent.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -14814,11 +17315,11 @@ process: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword - process.parent.elf.byte_order: - dashed_name: process-parent-elf-byte-order + process.entry_leader.parent.elf.byte_order: + dashed_name: process-entry-leader-parent-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: process.parent.elf.byte_order + flat_name: process.entry_leader.parent.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -14826,11 +17327,11 @@ process: original_fieldset: elf short: Byte sequence of ELF file. type: keyword - process.parent.elf.cpu_type: - dashed_name: process-parent-elf-cpu-type + process.entry_leader.parent.elf.cpu_type: + dashed_name: process-entry-leader-parent-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: process.parent.elf.cpu_type + flat_name: process.entry_leader.parent.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -14838,21 +17339,21 @@ process: original_fieldset: elf short: CPU type of the ELF file. type: keyword - process.parent.elf.creation_date: - dashed_name: process-parent-elf-creation-date + process.entry_leader.parent.elf.creation_date: + dashed_name: process-entry-leader-parent-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: process.parent.elf.creation_date + flat_name: process.entry_leader.parent.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date - process.parent.elf.exports: - dashed_name: process-parent-elf-exports + process.entry_leader.parent.elf.exports: + dashed_name: process-entry-leader-parent-elf-exports description: List of exported element names and types. - flat_name: process.parent.elf.exports + flat_name: process.entry_leader.parent.elf.exports level: extended name: exports normalize: @@ -14860,8 +17361,8 @@ process: original_fieldset: elf short: List of exported element names and types. type: flattened - process.parent.elf.go_import_hash: - dashed_name: process-parent-elf-go-import-hash + process.entry_leader.parent.elf.go_import_hash: + dashed_name: process-entry-leader-parent-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -14870,7 +17371,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.elf.go_import_hash + flat_name: process.entry_leader.parent.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -14878,20 +17379,20 @@ process: original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword - process.parent.elf.go_imports: - dashed_name: process-parent-elf-go-imports + process.entry_leader.parent.elf.go_imports: + dashed_name: process-entry-leader-parent-elf-go-imports description: List of imported Go language element names and types. - flat_name: process.parent.elf.go_imports + flat_name: process.entry_leader.parent.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened - process.parent.elf.go_imports_names_entropy: - dashed_name: process-parent-elf-go-imports-names-entropy + process.entry_leader.parent.elf.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_entropy + flat_name: process.entry_leader.parent.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -14899,10 +17400,10 @@ process: original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long - process.parent.elf.go_imports_names_var_entropy: - dashed_name: process-parent-elf-go-imports-names-var-entropy + process.entry_leader.parent.elf.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_var_entropy + flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -14910,21 +17411,21 @@ process: original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.parent.elf.go_stripped: - dashed_name: process-parent-elf-go-stripped + process.entry_leader.parent.elf.go_stripped: + dashed_name: process-entry-leader-parent-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.elf.go_stripped + flat_name: process.entry_leader.parent.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.parent.elf.header.abi_version: - dashed_name: process-parent-elf-header-abi-version + process.entry_leader.parent.elf.header.abi_version: + dashed_name: process-entry-leader-parent-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.parent.elf.header.abi_version + flat_name: process.entry_leader.parent.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -14932,10 +17433,10 @@ process: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword - process.parent.elf.header.class: - dashed_name: process-parent-elf-header-class + process.entry_leader.parent.elf.header.class: + dashed_name: process-entry-leader-parent-elf-header-class description: Header class of the ELF file. - flat_name: process.parent.elf.header.class + flat_name: process.entry_leader.parent.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -14943,10 +17444,10 @@ process: original_fieldset: elf short: Header class of the ELF file. type: keyword - process.parent.elf.header.data: - dashed_name: process-parent-elf-header-data + process.entry_leader.parent.elf.header.data: + dashed_name: process-entry-leader-parent-elf-header-data description: Data table of the ELF header. - flat_name: process.parent.elf.header.data + flat_name: process.entry_leader.parent.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -14954,10 +17455,10 @@ process: original_fieldset: elf short: Data table of the ELF header. type: keyword - process.parent.elf.header.entrypoint: - dashed_name: process-parent-elf-header-entrypoint + process.entry_leader.parent.elf.header.entrypoint: + dashed_name: process-entry-leader-parent-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: process.parent.elf.header.entrypoint + flat_name: process.entry_leader.parent.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -14965,10 +17466,10 @@ process: original_fieldset: elf short: Header entrypoint of the ELF file. type: long - process.parent.elf.header.object_version: - dashed_name: process-parent-elf-header-object-version + process.entry_leader.parent.elf.header.object_version: + dashed_name: process-entry-leader-parent-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: process.parent.elf.header.object_version + flat_name: process.entry_leader.parent.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -14976,10 +17477,10 @@ process: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword - process.parent.elf.header.os_abi: - dashed_name: process-parent-elf-header-os-abi + process.entry_leader.parent.elf.header.os_abi: + dashed_name: process-entry-leader-parent-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.parent.elf.header.os_abi + flat_name: process.entry_leader.parent.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -14987,10 +17488,10 @@ process: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword - process.parent.elf.header.type: - dashed_name: process-parent-elf-header-type + process.entry_leader.parent.elf.header.type: + dashed_name: process-entry-leader-parent-elf-header-type description: Header type of the ELF file. - flat_name: process.parent.elf.header.type + flat_name: process.entry_leader.parent.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -14998,10 +17499,10 @@ process: original_fieldset: elf short: Header type of the ELF file. type: keyword - process.parent.elf.header.version: - dashed_name: process-parent-elf-header-version + process.entry_leader.parent.elf.header.version: + dashed_name: process-entry-leader-parent-elf-header-version description: Version of the ELF header. - flat_name: process.parent.elf.header.version + flat_name: process.entry_leader.parent.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -15009,15 +17510,15 @@ process: original_fieldset: elf short: Version of the ELF header. type: keyword - process.parent.elf.import_hash: - dashed_name: process-parent-elf-import-hash + process.entry_leader.parent.elf.import_hash: + dashed_name: process-entry-leader-parent-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.elf.import_hash + flat_name: process.entry_leader.parent.elf.import_hash ignore_above: 1024 level: extended name: import_hash @@ -15025,10 +17526,10 @@ process: original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword - process.parent.elf.imports: - dashed_name: process-parent-elf-imports + process.entry_leader.parent.elf.imports: + dashed_name: process-entry-leader-parent-elf-imports description: List of imported element names and types. - flat_name: process.parent.elf.imports + flat_name: process.entry_leader.parent.elf.imports level: extended name: imports normalize: @@ -15036,11 +17537,11 @@ process: original_fieldset: elf short: List of imported element names and types. type: flattened - process.parent.elf.imports_names_entropy: - dashed_name: process-parent-elf-imports-names-entropy + process.entry_leader.parent.elf.imports_names_entropy: + dashed_name: process-entry-leader-parent-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.parent.elf.imports_names_entropy + flat_name: process.entry_leader.parent.elf.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -15049,11 +17550,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.parent.elf.imports_names_var_entropy: - dashed_name: process-parent-elf-imports-names-var-entropy + process.entry_leader.parent.elf.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.parent.elf.imports_names_var_entropy + flat_name: process.entry_leader.parent.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -15062,13 +17563,13 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.parent.elf.sections: - dashed_name: process-parent-elf-sections + process.entry_leader.parent.elf.sections: + dashed_name: process-entry-leader-parent-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: process.parent.elf.sections + flat_name: process.entry_leader.parent.elf.sections level: extended name: sections normalize: @@ -15076,10 +17577,10 @@ process: original_fieldset: elf short: Section information of the ELF file. type: nested - process.parent.elf.sections.chi2: - dashed_name: process-parent-elf-sections-chi2 + process.entry_leader.parent.elf.sections.chi2: + dashed_name: process-entry-leader-parent-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: process.parent.elf.sections.chi2 + flat_name: process.entry_leader.parent.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -15087,10 +17588,10 @@ process: original_fieldset: elf short: Chi-square probability distribution of the section. type: long - process.parent.elf.sections.entropy: - dashed_name: process-parent-elf-sections-entropy + process.entry_leader.parent.elf.sections.entropy: + dashed_name: process-entry-leader-parent-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.entropy + flat_name: process.entry_leader.parent.elf.sections.entropy format: number level: extended name: sections.entropy @@ -15098,10 +17599,10 @@ process: original_fieldset: elf short: Shannon entropy calculation from the section. type: long - process.parent.elf.sections.flags: - dashed_name: process-parent-elf-sections-flags + process.entry_leader.parent.elf.sections.flags: + dashed_name: process-entry-leader-parent-elf-sections-flags description: ELF Section List flags. - flat_name: process.parent.elf.sections.flags + flat_name: process.entry_leader.parent.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -15109,10 +17610,10 @@ process: original_fieldset: elf short: ELF Section List flags. type: keyword - process.parent.elf.sections.name: - dashed_name: process-parent-elf-sections-name + process.entry_leader.parent.elf.sections.name: + dashed_name: process-entry-leader-parent-elf-sections-name description: ELF Section List name. - flat_name: process.parent.elf.sections.name + flat_name: process.entry_leader.parent.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -15120,10 +17621,10 @@ process: original_fieldset: elf short: ELF Section List name. type: keyword - process.parent.elf.sections.physical_offset: - dashed_name: process-parent-elf-sections-physical-offset + process.entry_leader.parent.elf.sections.physical_offset: + dashed_name: process-entry-leader-parent-elf-sections-physical-offset description: ELF Section List offset. - flat_name: process.parent.elf.sections.physical_offset + flat_name: process.entry_leader.parent.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -15131,10 +17632,10 @@ process: original_fieldset: elf short: ELF Section List offset. type: keyword - process.parent.elf.sections.physical_size: - dashed_name: process-parent-elf-sections-physical-size + process.entry_leader.parent.elf.sections.physical_size: + dashed_name: process-entry-leader-parent-elf-sections-physical-size description: ELF Section List physical size. - flat_name: process.parent.elf.sections.physical_size + flat_name: process.entry_leader.parent.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -15142,10 +17643,10 @@ process: original_fieldset: elf short: ELF Section List physical size. type: long - process.parent.elf.sections.type: - dashed_name: process-parent-elf-sections-type + process.entry_leader.parent.elf.sections.type: + dashed_name: process-entry-leader-parent-elf-sections-type description: ELF Section List type. - flat_name: process.parent.elf.sections.type + flat_name: process.entry_leader.parent.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -15153,10 +17654,10 @@ process: original_fieldset: elf short: ELF Section List type. type: keyword - process.parent.elf.sections.var_entropy: - dashed_name: process-parent-elf-sections-var-entropy + process.entry_leader.parent.elf.sections.var_entropy: + dashed_name: process-entry-leader-parent-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.var_entropy + flat_name: process.entry_leader.parent.elf.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -15164,10 +17665,10 @@ process: original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long - process.parent.elf.sections.virtual_address: - dashed_name: process-parent-elf-sections-virtual-address + process.entry_leader.parent.elf.sections.virtual_address: + dashed_name: process-entry-leader-parent-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: process.parent.elf.sections.virtual_address + flat_name: process.entry_leader.parent.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -15175,10 +17676,10 @@ process: original_fieldset: elf short: ELF Section List virtual address. type: long - process.parent.elf.sections.virtual_size: - dashed_name: process-parent-elf-sections-virtual-size + process.entry_leader.parent.elf.sections.virtual_size: + dashed_name: process-entry-leader-parent-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: process.parent.elf.sections.virtual_size + flat_name: process.entry_leader.parent.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -15186,13 +17687,13 @@ process: original_fieldset: elf short: ELF Section List virtual size. type: long - process.parent.elf.segments: - dashed_name: process-parent-elf-segments + process.entry_leader.parent.elf.segments: + dashed_name: process-entry-leader-parent-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: process.parent.elf.segments + flat_name: process.entry_leader.parent.elf.segments level: extended name: segments normalize: @@ -15200,10 +17701,10 @@ process: original_fieldset: elf short: ELF object segment list. type: nested - process.parent.elf.segments.sections: - dashed_name: process-parent-elf-segments-sections + process.entry_leader.parent.elf.segments.sections: + dashed_name: process-entry-leader-parent-elf-segments-sections description: ELF object segment sections. - flat_name: process.parent.elf.segments.sections + flat_name: process.entry_leader.parent.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -15211,10 +17712,10 @@ process: original_fieldset: elf short: ELF object segment sections. type: keyword - process.parent.elf.segments.type: - dashed_name: process-parent-elf-segments-type + process.entry_leader.parent.elf.segments.type: + dashed_name: process-entry-leader-parent-elf-segments-type description: ELF object segment type. - flat_name: process.parent.elf.segments.type + flat_name: process.entry_leader.parent.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -15222,10 +17723,10 @@ process: original_fieldset: elf short: ELF object segment type. type: keyword - process.parent.elf.shared_libraries: - dashed_name: process-parent-elf-shared-libraries + process.entry_leader.parent.elf.shared_libraries: + dashed_name: process-entry-leader-parent-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: process.parent.elf.shared_libraries + flat_name: process.entry_leader.parent.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -15234,10 +17735,10 @@ process: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword - process.parent.elf.telfhash: - dashed_name: process-parent-elf-telfhash + process.entry_leader.parent.elf.telfhash: + dashed_name: process-entry-leader-parent-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: process.parent.elf.telfhash + flat_name: process.entry_leader.parent.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -15245,19 +17746,31 @@ process: original_fieldset: elf short: telfhash hash for ELF file. type: keyword - process.parent.end: - dashed_name: process-parent-end + process.entry_leader.parent.end: + dashed_name: process-entry-leader-parent-end description: The time the process ended. example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.end + flat_name: process.entry_leader.parent.end level: extended name: end normalize: [] original_fieldset: process short: The time the process ended. type: date - process.parent.entity_id: - dashed_name: process-parent-entity-id + process.entry_leader.parent.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.entry_leader.parent.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.entry_leader.parent.entity_id: + dashed_name: process-entry-leader-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples @@ -15268,7 +17781,7 @@ process: PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d - flat_name: process.parent.entity_id + flat_name: process.entry_leader.parent.entity_id ignore_above: 1024 level: extended name: entity_id @@ -15276,15 +17789,390 @@ process: original_fieldset: process short: Unique identifier for the process. type: keyword - process.parent.executable: - dashed_name: process-parent-executable + process.entry_leader.parent.entry_meta.source.address: + dashed_name: process-entry-leader-parent-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.entry_leader.parent.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.entry_leader.parent.entry_meta.source.as.number: + dashed_name: process-entry-leader-parent-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_leader.parent.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.entry_leader.parent.entry_meta.source.as.organization.name: + dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.entry_leader.parent.entry_meta.source.bytes: + dashed_name: process-entry-leader-parent-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_leader.parent.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.entry_leader.parent.entry_meta.source.domain: + dashed_name: process-entry-leader-parent-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.entry_leader.parent.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.city_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.continent_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.continent_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.country_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.location: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_leader.parent.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.entry_leader.parent.entry_meta.source.geo.name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_leader.parent.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.postal_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.region_name: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.entry_leader.parent.entry_meta.source.geo.timezone: + dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.entry_leader.parent.entry_meta.source.ip: + dashed_name: process-entry-leader-parent-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.parent.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.entry_leader.parent.entry_meta.source.mac: + dashed_name: process-entry-leader-parent-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_leader.parent.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.entry_leader.parent.entry_meta.source.nat.ip: + dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.entry_leader.parent.entry_meta.source.nat.port: + dashed_name: process-entry-leader-parent-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.entry_leader.parent.entry_meta.source.packets: + dashed_name: process-entry-leader-parent-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_leader.parent.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.entry_leader.parent.entry_meta.source.port: + dashed_name: process-entry-leader-parent-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_leader.parent.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.entry_leader.parent.entry_meta.source.registered_domain: + dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_leader.parent.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.entry_leader.parent.entry_meta.source.subdomain: + dashed_name: process-entry-leader-parent-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_leader.parent.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.entry_leader.parent.entry_meta.source.top_level_domain: + dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.entry_leader.parent.entry_meta.type: + dashed_name: process-entry-leader-parent-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.parent.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.entry_leader.parent.env_vars: + dashed_name: process-entry-leader-parent-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.entry_leader.parent.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.executable: + dashed_name: process-entry-leader-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh - flat_name: process.parent.executable + flat_name: process.entry_leader.parent.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.executable.text + - flat_name: process.entry_leader.parent.executable.text name: text type: match_only_text name: executable @@ -15292,24 +18180,37 @@ process: original_fieldset: process short: Absolute path to the process executable. type: keyword - process.parent.exit_code: - dashed_name: process-parent-exit-code + process.entry_leader.parent.exit_code: + dashed_name: process-entry-leader-parent-exit-code description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 - flat_name: process.parent.exit_code + flat_name: process.entry_leader.parent.exit_code level: extended name: exit_code normalize: [] original_fieldset: process short: The exit code of the process. type: long - process.parent.group.id: - dashed_name: process-parent-group-id + process.entry_leader.parent.group.domain: + dashed_name: process-entry-leader-parent-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.group.id: + dashed_name: process-entry-leader-parent-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group.id + flat_name: process.entry_leader.parent.group.id ignore_above: 1024 level: extended name: id @@ -15317,10 +18218,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.parent.group.name: - dashed_name: process-parent-group-name + process.entry_leader.parent.group.name: + dashed_name: process-entry-leader-parent-group-name description: Name of the group. - flat_name: process.parent.group.name + flat_name: process.entry_leader.parent.group.name ignore_above: 1024 level: extended name: name @@ -15328,72 +18229,13 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.parent.group_leader.entity_id: - dashed_name: process-parent-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.parent.group_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.parent.group_leader.pid: - dashed_name: process-parent-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.parent.group_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.parent.group_leader.start: - dashed_name: process-parent-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.group_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.parent.group_leader.vpid: - dashed_name: process-parent-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.parent.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.parent.hash.cdhash: + process.entry_leader.parent.hash.cdhash: beta: This field is beta and subject to change. - dashed_name: process-parent-hash-cdhash + dashed_name: process-entry-leader-parent-hash-cdhash description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.parent.hash.cdhash + flat_name: process.entry_leader.parent.hash.cdhash ignore_above: 1024 level: extended name: cdhash @@ -15401,10 +18243,10 @@ process: original_fieldset: hash short: The Code Directory (CD) hash of an executable. type: keyword - process.parent.hash.md5: - dashed_name: process-parent-hash-md5 + process.entry_leader.parent.hash.md5: + dashed_name: process-entry-leader-parent-hash-md5 description: MD5 hash. - flat_name: process.parent.hash.md5 + flat_name: process.entry_leader.parent.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -15412,10 +18254,10 @@ process: original_fieldset: hash short: MD5 hash. type: keyword - process.parent.hash.sha1: - dashed_name: process-parent-hash-sha1 + process.entry_leader.parent.hash.sha1: + dashed_name: process-entry-leader-parent-hash-sha1 description: SHA1 hash. - flat_name: process.parent.hash.sha1 + flat_name: process.entry_leader.parent.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -15423,10 +18265,10 @@ process: original_fieldset: hash short: SHA1 hash. type: keyword - process.parent.hash.sha256: - dashed_name: process-parent-hash-sha256 + process.entry_leader.parent.hash.sha256: + dashed_name: process-entry-leader-parent-hash-sha256 description: SHA256 hash. - flat_name: process.parent.hash.sha256 + flat_name: process.entry_leader.parent.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -15434,591 +18276,41390 @@ process: original_fieldset: hash short: SHA256 hash. type: keyword - process.parent.hash.sha384: - dashed_name: process-parent-hash-sha384 + process.entry_leader.parent.hash.sha384: + dashed_name: process-entry-leader-parent-hash-sha384 description: SHA384 hash. - flat_name: process.parent.hash.sha384 + flat_name: process.entry_leader.parent.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.entry_leader.parent.hash.sha512: + dashed_name: process-entry-leader-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.entry_leader.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.entry_leader.parent.hash.ssdeep: + dashed_name: process-entry-leader-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.entry_leader.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.entry_leader.parent.hash.tlsh: + dashed_name: process-entry-leader-parent-hash-tlsh + description: TLSH hash. + flat_name: process.entry_leader.parent.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.entry_leader.parent.interactive: + dashed_name: process-entry-leader-parent-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.entry_leader.parent.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.entry_leader.parent.io: + dashed_name: process-entry-leader-parent-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.entry_leader.parent.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.entry_leader.parent.io.bytes_skipped: + dashed_name: process-entry-leader-parent-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.entry_leader.parent.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.entry_leader.parent.io.bytes_skipped.length: + dashed_name: process-entry-leader-parent-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.entry_leader.parent.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.entry_leader.parent.io.bytes_skipped.offset: + dashed_name: process-entry-leader-parent-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.entry_leader.parent.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.entry_leader.parent.io.max_bytes_per_process_exceeded: + dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.entry_leader.parent.io.text: + dashed_name: process-entry-leader-parent-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.entry_leader.parent.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.entry_leader.parent.io.total_bytes_captured: + dashed_name: process-entry-leader-parent-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.entry_leader.parent.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.entry_leader.parent.io.total_bytes_skipped: + dashed_name: process-entry-leader-parent-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.entry_leader.parent.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.entry_leader.parent.io.type: + dashed_name: process-entry-leader-parent-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.entry_leader.parent.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.entry_leader.parent.macho.go_import_hash: + dashed_name: process-entry-leader-parent-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.entry_leader.parent.macho.go_imports: + dashed_name: process-entry-leader-parent-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.parent.macho.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.macho.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.macho.go_stripped: + dashed_name: process-entry-leader-parent-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.parent.macho.import_hash: + dashed_name: process-entry-leader-parent-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.entry_leader.parent.macho.imports: + dashed_name: process-entry-leader-parent-macho-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.entry_leader.parent.macho.imports_names_entropy: + dashed_name: process-entry-leader-parent-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.parent.macho.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.parent.macho.sections: + dashed_name: process-entry-leader-parent-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.entry_leader.parent.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.entry_leader.parent.macho.sections.entropy: + dashed_name: process-entry-leader-parent-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.macho.sections.name: + dashed_name: process-entry-leader-parent-macho-sections-name + description: Mach-O Section List name. + flat_name: process.entry_leader.parent.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.entry_leader.parent.macho.sections.physical_size: + dashed_name: process-entry-leader-parent-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.entry_leader.parent.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.entry_leader.parent.macho.sections.var_entropy: + dashed_name: process-entry-leader-parent-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.macho.sections.virtual_size: + dashed_name: process-entry-leader-parent-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.entry_leader.parent.macho.symhash: + dashed_name: process-entry-leader-parent-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.entry_leader.parent.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.entry_leader.parent.name: + dashed_name: process-entry-leader-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.entry_leader.parent.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.entry_leader.parent.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.entry_leader.parent.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.entry_leader.parent.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.entry_leader.parent.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.entry_leader.parent.pe.architecture: + dashed_name: process-entry-leader-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.entry_leader.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.entry_leader.parent.pe.company: + dashed_name: process-entry-leader-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.entry_leader.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.pe.description: + dashed_name: process-entry-leader-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.entry_leader.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.pe.file_version: + dashed_name: process-entry-leader-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.entry_leader.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.entry_leader.parent.pe.go_import_hash: + dashed_name: process-entry-leader-parent-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.entry_leader.parent.pe.go_imports: + dashed_name: process-entry-leader-parent-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.parent.pe.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.pe.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.pe.go_stripped: + dashed_name: process-entry-leader-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.parent.pe.imphash: + dashed_name: process-entry-leader-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.entry_leader.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.entry_leader.parent.pe.import_hash: + dashed_name: process-entry-leader-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.entry_leader.parent.pe.imports: + dashed_name: process-entry-leader-parent-pe-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.entry_leader.parent.pe.imports_names_entropy: + dashed_name: process-entry-leader-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.parent.pe.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.parent.pe.original_file_name: + dashed_name: process-entry-leader-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.entry_leader.parent.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.pe.pehash: + dashed_name: process-entry-leader-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.entry_leader.parent.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.entry_leader.parent.pe.product: + dashed_name: process-entry-leader-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.entry_leader.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.pe.sections: + dashed_name: process-entry-leader-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.entry_leader.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.entry_leader.parent.pe.sections.entropy: + dashed_name: process-entry-leader-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.pe.sections.name: + dashed_name: process-entry-leader-parent-pe-sections-name + description: PE Section List name. + flat_name: process.entry_leader.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.entry_leader.parent.pe.sections.physical_size: + dashed_name: process-entry-leader-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.entry_leader.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.entry_leader.parent.pe.sections.var_entropy: + dashed_name: process-entry-leader-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.pe.sections.virtual_size: + dashed_name: process-entry-leader-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.entry_leader.parent.pid: + dashed_name: process-entry-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.entry_leader.parent.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.entry_leader.parent.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.entry_leader.parent.real_group.domain: + dashed_name: process-entry-leader-parent-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.real_group.id: + dashed_name: process-entry-leader-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.real_group.name: + dashed_name: process-entry-leader-parent-real-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.real_user.domain: + dashed_name: process-entry-leader-parent-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.real_user.email: + dashed_name: process-entry-leader-parent-real-user-email + description: User email address. + flat_name: process.entry_leader.parent.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.real_user.entity.id: + dashed_name: process-entry-leader-parent-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.real_user.full_name: + dashed_name: process-entry-leader-parent-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.real_user.group.domain: + dashed_name: process-entry-leader-parent-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.real_user.group.id: + dashed_name: process-entry-leader-parent-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.real_user.group.name: + dashed_name: process-entry-leader-parent-real-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.real_user.hash: + dashed_name: process-entry-leader-parent-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.real_user.id: + dashed_name: process-entry-leader-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.real_user.name: + dashed_name: process-entry-leader-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.real_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.real_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.real_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.real_user.risk.static_level: + dashed_name: process-entry-leader-parent-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.real_user.risk.static_score: + dashed_name: process-entry-leader-parent-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.real_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.real_user.roles: + dashed_name: process-entry-leader-parent-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.same_as_process: + dashed_name: process-entry-leader-parent-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.parent.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.entry_leader.parent.saved_group.domain: + dashed_name: process-entry-leader-parent-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.saved_group.id: + dashed_name: process-entry-leader-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.saved_group.name: + dashed_name: process-entry-leader-parent-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.saved_user.domain: + dashed_name: process-entry-leader-parent-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.saved_user.email: + dashed_name: process-entry-leader-parent-saved-user-email + description: User email address. + flat_name: process.entry_leader.parent.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.saved_user.entity.id: + dashed_name: process-entry-leader-parent-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.saved_user.full_name: + dashed_name: process-entry-leader-parent-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.saved_user.group.domain: + dashed_name: process-entry-leader-parent-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.saved_user.group.id: + dashed_name: process-entry-leader-parent-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.saved_user.group.name: + dashed_name: process-entry-leader-parent-saved-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.saved_user.hash: + dashed_name: process-entry-leader-parent-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.saved_user.id: + dashed_name: process-entry-leader-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.saved_user.name: + dashed_name: process-entry-leader-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.saved_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.saved_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.saved_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.saved_user.risk.static_level: + dashed_name: process-entry-leader-parent-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.saved_user.risk.static_score: + dashed_name: process-entry-leader-parent-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.saved_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.saved_user.roles: + dashed_name: process-entry-leader-parent-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.args: + dashed_name: process-entry-leader-parent-session-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.entry_leader.parent.session_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.entry_leader.parent.session_leader.args_count: + dashed_name: process-entry-leader-parent-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.entry_leader.parent.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.entry_leader.parent.session_leader.attested_groups.domain: + dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.attested_groups.id: + dashed_name: process-entry-leader-parent-session-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.attested_groups.name: + dashed_name: process-entry-leader-parent-session-leader-attested-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.attested_user.domain: + dashed_name: process-entry-leader-parent-session-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.session_leader.attested_user.email: + dashed_name: process-entry-leader-parent-session-leader-attested-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.session_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.session_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.session_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.session_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.session_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.session_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.session_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.session_leader.attested_user.full_name: + dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.session_leader.attested_user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.attested_user.group.id: + dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.attested_user.group.name: + dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.attested_user.hash: + dashed_name: process-entry-leader-parent-session-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.session_leader.attested_user.id: + dashed_name: process-entry-leader-parent-session-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.session_leader.attested_user.name: + dashed_name: process-entry-leader-parent-session-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.session_leader.attested_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.session_leader.attested_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.session_leader.attested_user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.session_leader.attested_user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.session_leader.attested_user.roles: + dashed_name: process-entry-leader-parent-session-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.code_signature.digest_algorithm: + dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.entry_leader.parent.session_leader.code_signature.exists: + dashed_name: process-entry-leader-parent-session-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.entry_leader.parent.session_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.entry_leader.parent.session_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.entry_leader.parent.session_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.entry_leader.parent.session_leader.code_signature.signing_id: + dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.entry_leader.parent.session_leader.code_signature.status: + dashed_name: process-entry-leader-parent-session-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.entry_leader.parent.session_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.entry_leader.parent.session_leader.code_signature.subject_name: + dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.entry_leader.parent.session_leader.code_signature.team_id: + dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.entry_leader.parent.session_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.entry_leader.parent.session_leader.code_signature.timestamp: + dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.entry_leader.parent.session_leader.code_signature.trusted: + dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.entry_leader.parent.session_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.entry_leader.parent.session_leader.code_signature.valid: + dashed_name: process-entry-leader-parent-session-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.entry_leader.parent.session_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.entry_leader.parent.session_leader.command_line: + dashed_name: process-entry-leader-parent-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.entry_leader.parent.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.entry_leader.parent.session_leader.elf.architecture: + dashed_name: process-entry-leader-parent-session-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.entry_leader.parent.session_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.byte_order: + dashed_name: process-entry-leader-parent-session-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.entry_leader.parent.session_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.cpu_type: + dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.entry_leader.parent.session_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.creation_date: + dashed_name: process-entry-leader-parent-session-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.entry_leader.parent.session_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.entry_leader.parent.session_leader.elf.exports: + dashed_name: process-entry-leader-parent-session-leader-elf-exports + description: List of exported element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.entry_leader.parent.session_leader.elf.go_import_hash: + dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.go_imports: + dashed_name: process-entry-leader-parent-session-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.parent.session_leader.elf.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.session_leader.elf.go_stripped: + dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.session_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.parent.session_leader.elf.header.abi_version: + dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.entry_leader.parent.session_leader.elf.header.class: + dashed_name: process-entry-leader-parent-session-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.header.data: + dashed_name: process-entry-leader-parent-session-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.entry_leader.parent.session_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.entry_leader.parent.session_leader.elf.header.entrypoint: + dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.entry_leader.parent.session_leader.elf.header.object_version: + dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.entry_leader.parent.session_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.entry_leader.parent.session_leader.elf.header.os_abi: + dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.entry_leader.parent.session_leader.elf.header.type: + dashed_name: process-entry-leader-parent-session-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.header.version: + dashed_name: process-entry-leader-parent-session-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.entry_leader.parent.session_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.entry_leader.parent.session_leader.elf.import_hash: + dashed_name: process-entry-leader-parent-session-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.session_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.entry_leader.parent.session_leader.elf.imports: + dashed_name: process-entry-leader-parent-session-leader-elf-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.entry_leader.parent.session_leader.elf.imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.parent.session_leader.elf.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.parent.session_leader.elf.sections: + dashed_name: process-entry-leader-parent-session-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.entry_leader.parent.session_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.entry_leader.parent.session_leader.elf.sections.chi2: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.entry_leader.parent.session_leader.elf.sections.entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.session_leader.elf.sections.flags: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.entry_leader.parent.session_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.entry_leader.parent.session_leader.elf.sections.name: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.entry_leader.parent.session_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.entry_leader.parent.session_leader.elf.sections.physical_offset: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.entry_leader.parent.session_leader.elf.sections.physical_size: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.entry_leader.parent.session_leader.elf.sections.type: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.entry_leader.parent.session_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.entry_leader.parent.session_leader.elf.sections.var_entropy: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.session_leader.elf.sections.virtual_address: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.entry_leader.parent.session_leader.elf.sections.virtual_size: + dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.entry_leader.parent.session_leader.elf.segments: + dashed_name: process-entry-leader-parent-session-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.entry_leader.parent.session_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.entry_leader.parent.session_leader.elf.segments.sections: + dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.entry_leader.parent.session_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.entry_leader.parent.session_leader.elf.segments.type: + dashed_name: process-entry-leader-parent-session-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.entry_leader.parent.session_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.entry_leader.parent.session_leader.elf.shared_libraries: + dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.entry_leader.parent.session_leader.elf.telfhash: + dashed_name: process-entry-leader-parent-session-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.entry_leader.parent.session_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.entry_leader.parent.session_leader.end: + dashed_name: process-entry-leader-parent-session-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.session_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.entry_leader.parent.session_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.entry_leader.parent.session_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.entry_leader.parent.session_leader.entity_id: + dashed_name: process-entry-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.parent.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.address: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.as.number: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.bytes: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.entry_leader.parent.session_leader.entry_meta.source.domain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.location: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.entry_leader.parent.session_leader.entry_meta.source.geo.name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.ip: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.entry_leader.parent.session_leader.entry_meta.source.mac: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.nat.ip: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.entry_leader.parent.session_leader.entry_meta.source.nat.port: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.entry_leader.parent.session_leader.entry_meta.source.packets: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.entry_leader.parent.session_leader.entry_meta.source.port: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.entry_leader.parent.session_leader.entry_meta.source.registered_domain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.subdomain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.entry_leader.parent.session_leader.entry_meta.type: + dashed_name: process-entry-leader-parent-session-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.parent.session_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.entry_leader.parent.session_leader.env_vars: + dashed_name: process-entry-leader-parent-session-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.entry_leader.parent.session_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.executable: + dashed_name: process-entry-leader-parent-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.entry_leader.parent.session_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.entry_leader.parent.session_leader.exit_code: + dashed_name: process-entry-leader-parent-session-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.entry_leader.parent.session_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.entry_leader.parent.session_leader.group.domain: + dashed_name: process-entry-leader-parent-session-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.group.id: + dashed_name: process-entry-leader-parent-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.group.name: + dashed_name: process-entry-leader-parent-session-leader-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.entry_leader.parent.session_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.entry_leader.parent.session_leader.hash.md5: + dashed_name: process-entry-leader-parent-session-leader-hash-md5 + description: MD5 hash. + flat_name: process.entry_leader.parent.session_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.entry_leader.parent.session_leader.hash.sha1: + dashed_name: process-entry-leader-parent-session-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.entry_leader.parent.session_leader.hash.sha256: + dashed_name: process-entry-leader-parent-session-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.entry_leader.parent.session_leader.hash.sha384: + dashed_name: process-entry-leader-parent-session-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.entry_leader.parent.session_leader.hash.sha512: + dashed_name: process-entry-leader-parent-session-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.entry_leader.parent.session_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.entry_leader.parent.session_leader.hash.ssdeep: + dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.entry_leader.parent.session_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.entry_leader.parent.session_leader.hash.tlsh: + dashed_name: process-entry-leader-parent-session-leader-hash-tlsh + description: TLSH hash. + flat_name: process.entry_leader.parent.session_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.entry_leader.parent.session_leader.interactive: + dashed_name: process-entry-leader-parent-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.entry_leader.parent.session_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.entry_leader.parent.session_leader.io: + dashed_name: process-entry-leader-parent-session-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.entry_leader.parent.session_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.entry_leader.parent.session_leader.io.bytes_skipped: + dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.entry_leader.parent.session_leader.io.bytes_skipped.length: + dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.entry_leader.parent.session_leader.io.bytes_skipped.offset: + dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.entry_leader.parent.session_leader.io.text: + dashed_name: process-entry-leader-parent-session-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.entry_leader.parent.session_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.entry_leader.parent.session_leader.io.total_bytes_captured: + dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.entry_leader.parent.session_leader.io.total_bytes_skipped: + dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.entry_leader.parent.session_leader.io.type: + dashed_name: process-entry-leader-parent-session-leader-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.entry_leader.parent.session_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.entry_leader.parent.session_leader.macho.go_import_hash: + dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.entry_leader.parent.session_leader.macho.go_imports: + dashed_name: process-entry-leader-parent-session-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.session_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.parent.session_leader.macho.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.session_leader.macho.go_stripped: + dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.session_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.parent.session_leader.macho.import_hash: + dashed_name: process-entry-leader-parent-session-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.session_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.entry_leader.parent.session_leader.macho.imports: + dashed_name: process-entry-leader-parent-session-leader-macho-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.session_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.entry_leader.parent.session_leader.macho.imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.parent.session_leader.macho.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.parent.session_leader.macho.sections: + dashed_name: process-entry-leader-parent-session-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.entry_leader.parent.session_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.entry_leader.parent.session_leader.macho.sections.entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.session_leader.macho.sections.name: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.entry_leader.parent.session_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.entry_leader.parent.session_leader.macho.sections.physical_size: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.entry_leader.parent.session_leader.macho.sections.var_entropy: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.session_leader.macho.sections.virtual_size: + dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.entry_leader.parent.session_leader.macho.symhash: + dashed_name: process-entry-leader-parent-session-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.entry_leader.parent.session_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.entry_leader.parent.session_leader.name: + dashed_name: process-entry-leader-parent-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.entry_leader.parent.session_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.entry_leader.parent.session_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.entry_leader.parent.session_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.entry_leader.parent.session_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.entry_leader.parent.session_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.entry_leader.parent.session_leader.pe.architecture: + dashed_name: process-entry-leader-parent-session-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.entry_leader.parent.session_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.entry_leader.parent.session_leader.pe.company: + dashed_name: process-entry-leader-parent-session-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.entry_leader.parent.session_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.session_leader.pe.description: + dashed_name: process-entry-leader-parent-session-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.entry_leader.parent.session_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.session_leader.pe.file_version: + dashed_name: process-entry-leader-parent-session-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.entry_leader.parent.session_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.entry_leader.parent.session_leader.pe.go_import_hash: + dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.entry_leader.parent.session_leader.pe.go_imports: + dashed_name: process-entry-leader-parent-session-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.parent.session_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.parent.session_leader.pe.go_imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.parent.session_leader.pe.go_stripped: + dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.parent.session_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.parent.session_leader.pe.imphash: + dashed_name: process-entry-leader-parent-session-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.entry_leader.parent.session_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.entry_leader.parent.session_leader.pe.import_hash: + dashed_name: process-entry-leader-parent-session-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.parent.session_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.entry_leader.parent.session_leader.pe.imports: + dashed_name: process-entry-leader-parent-session-leader-pe-imports + description: List of imported element names and types. + flat_name: process.entry_leader.parent.session_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.entry_leader.parent.session_leader.pe.imports_names_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.parent.session_leader.pe.imports_names_var_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.parent.session_leader.pe.original_file_name: + dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.entry_leader.parent.session_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.session_leader.pe.pehash: + dashed_name: process-entry-leader-parent-session-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.entry_leader.parent.session_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.entry_leader.parent.session_leader.pe.product: + dashed_name: process-entry-leader-parent-session-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.entry_leader.parent.session_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.entry_leader.parent.session_leader.pe.sections: + dashed_name: process-entry-leader-parent-session-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.entry_leader.parent.session_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.entry_leader.parent.session_leader.pe.sections.entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.session_leader.pe.sections.name: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-name + description: PE Section List name. + flat_name: process.entry_leader.parent.session_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.entry_leader.parent.session_leader.pe.sections.physical_size: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.entry_leader.parent.session_leader.pe.sections.var_entropy: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.parent.session_leader.pe.sections.virtual_size: + dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.entry_leader.parent.session_leader.pid: + dashed_name: process-entry-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.session_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.entry_leader.parent.session_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.entry_leader.parent.session_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.entry_leader.parent.session_leader.real_group.domain: + dashed_name: process-entry-leader-parent-session-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.real_group.id: + dashed_name: process-entry-leader-parent-session-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.real_group.name: + dashed_name: process-entry-leader-parent-session-leader-real-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.real_user.domain: + dashed_name: process-entry-leader-parent-session-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.session_leader.real_user.email: + dashed_name: process-entry-leader-parent-session-leader-real-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.session_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.session_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.session_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.session_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.session_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.session_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.session_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.session_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.session_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.session_leader.real_user.full_name: + dashed_name: process-entry-leader-parent-session-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.session_leader.real_user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.real_user.group.id: + dashed_name: process-entry-leader-parent-session-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.real_user.group.name: + dashed_name: process-entry-leader-parent-session-leader-real-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.real_user.hash: + dashed_name: process-entry-leader-parent-session-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.session_leader.real_user.id: + dashed_name: process-entry-leader-parent-session-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.session_leader.real_user.name: + dashed_name: process-entry-leader-parent-session-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.session_leader.real_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.session_leader.real_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.session_leader.real_user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.session_leader.real_user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.session_leader.real_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.session_leader.real_user.roles: + dashed_name: process-entry-leader-parent-session-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.same_as_process: + dashed_name: process-entry-leader-parent-session-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.parent.session_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.entry_leader.parent.session_leader.saved_group.domain: + dashed_name: process-entry-leader-parent-session-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.saved_group.id: + dashed_name: process-entry-leader-parent-session-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.saved_group.name: + dashed_name: process-entry-leader-parent-session-leader-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.saved_user.domain: + dashed_name: process-entry-leader-parent-session-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.session_leader.saved_user.email: + dashed_name: process-entry-leader-parent-session-leader-saved-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.session_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.session_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.session_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.session_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.session_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.session_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.session_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.session_leader.saved_user.full_name: + dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.session_leader.saved_user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.saved_user.group.id: + dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.saved_user.group.name: + dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.saved_user.hash: + dashed_name: process-entry-leader-parent-session-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.session_leader.saved_user.id: + dashed_name: process-entry-leader-parent-session-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.session_leader.saved_user.name: + dashed_name: process-entry-leader-parent-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.session_leader.saved_user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.session_leader.saved_user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.session_leader.saved_user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.session_leader.saved_user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.session_leader.saved_user.roles: + dashed_name: process-entry-leader-parent-session-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.start: + dashed_name: process-entry-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.session_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.entry_leader.parent.session_leader.supplemental_groups.domain: + dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.supplemental_groups.id: + dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.supplemental_groups.name: + dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.thread.capabilities.effective: + dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.thread.capabilities.permitted: + dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.thread.id: + dashed_name: process-entry-leader-parent-session-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.entry_leader.parent.session_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.entry_leader.parent.session_leader.thread.name: + dashed_name: process-entry-leader-parent-session-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.entry_leader.parent.session_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.entry_leader.parent.session_leader.title: + dashed_name: process-entry-leader-parent-session-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.entry_leader.parent.session_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.entry_leader.parent.session_leader.tty: + dashed_name: process-entry-leader-parent-session-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.entry_leader.parent.session_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.entry_leader.parent.session_leader.tty.char_device.major: + dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.parent.session_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.entry_leader.parent.session_leader.tty.char_device.minor: + dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.entry_leader.parent.session_leader.tty.columns: + dashed_name: process-entry-leader-parent-session-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.entry_leader.parent.session_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.entry_leader.parent.session_leader.tty.rows: + dashed_name: process-entry-leader-parent-session-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.entry_leader.parent.session_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.entry_leader.parent.session_leader.uptime: + dashed_name: process-entry-leader-parent-session-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.entry_leader.parent.session_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.entry_leader.parent.session_leader.user.domain: + dashed_name: process-entry-leader-parent-session-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.session_leader.user.email: + dashed_name: process-entry-leader-parent-session-leader-user-email + description: User email address. + flat_name: process.entry_leader.parent.session_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.session_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.session_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.session_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.session_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.session_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.session_leader.user.entity.id: + dashed_name: process-entry-leader-parent-session-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.session_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.session_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.session_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.session_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.session_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.session_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.session_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.session_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.session_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.session_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.session_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.session_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.session_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.session_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-session-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.session_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.session_leader.user.full_name: + dashed_name: process-entry-leader-parent-session-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.session_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.session_leader.user.group.domain: + dashed_name: process-entry-leader-parent-session-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.session_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.session_leader.user.group.id: + dashed_name: process-entry-leader-parent-session-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.session_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.session_leader.user.group.name: + dashed_name: process-entry-leader-parent-session-leader-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.session_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.session_leader.user.hash: + dashed_name: process-entry-leader-parent-session-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.session_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.session_leader.user.id: + dashed_name: process-entry-leader-parent-session-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.session_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.session_leader.user.name: + dashed_name: process-entry-leader-parent-session-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.session_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.session_leader.user.risk.calculated_level: + dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.session_leader.user.risk.calculated_score: + dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.session_leader.user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.session_leader.user.risk.static_level: + dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.session_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.session_leader.user.risk.static_score: + dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.session_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.session_leader.user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.session_leader.user.roles: + dashed_name: process-entry-leader-parent-session-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.session_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.session_leader.vpid: + dashed_name: process-entry-leader-parent-session-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.entry_leader.parent.session_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.entry_leader.parent.session_leader.working_directory: + dashed_name: process-entry-leader-parent-session-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.parent.session_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.session_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.entry_leader.parent.start: + dashed_name: process-entry-leader-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.entry_leader.parent.supplemental_groups.domain: + dashed_name: process-entry-leader-parent-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.supplemental_groups.id: + dashed_name: process-entry-leader-parent-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.supplemental_groups.name: + dashed_name: process-entry-leader-parent-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.parent.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.thread.capabilities.effective: + dashed_name: process-entry-leader-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.thread.capabilities.permitted: + dashed_name: process-entry-leader-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.thread.id: + dashed_name: process-entry-leader-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.entry_leader.parent.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.entry_leader.parent.thread.name: + dashed_name: process-entry-leader-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.entry_leader.parent.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.entry_leader.parent.title: + dashed_name: process-entry-leader-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.entry_leader.parent.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.entry_leader.parent.tty: + dashed_name: process-entry-leader-parent-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.entry_leader.parent.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.entry_leader.parent.tty.char_device.major: + dashed_name: process-entry-leader-parent-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.parent.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.entry_leader.parent.tty.char_device.minor: + dashed_name: process-entry-leader-parent-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.parent.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.entry_leader.parent.tty.columns: + dashed_name: process-entry-leader-parent-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.entry_leader.parent.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.entry_leader.parent.tty.rows: + dashed_name: process-entry-leader-parent-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.entry_leader.parent.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.entry_leader.parent.uptime: + dashed_name: process-entry-leader-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.entry_leader.parent.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.entry_leader.parent.user.domain: + dashed_name: process-entry-leader-parent-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.parent.user.email: + dashed_name: process-entry-leader-parent-user-email + description: User email address. + flat_name: process.entry_leader.parent.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.parent.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.parent.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.parent.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.parent.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.parent.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.parent.user.entity.id: + dashed_name: process-entry-leader-parent-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.parent.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.parent.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.parent.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.parent.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.parent.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.parent.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.parent.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.parent.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.parent.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.parent.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.parent.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.parent.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.parent.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.parent.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.parent.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.parent.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.parent.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-parent-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.parent.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.parent.user.full_name: + dashed_name: process-entry-leader-parent-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.parent.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.parent.user.group.domain: + dashed_name: process-entry-leader-parent-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.parent.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.parent.user.group.id: + dashed_name: process-entry-leader-parent-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.parent.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.parent.user.group.name: + dashed_name: process-entry-leader-parent-user-group-name + description: Name of the group. + flat_name: process.entry_leader.parent.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.parent.user.hash: + dashed_name: process-entry-leader-parent-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.parent.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.parent.user.id: + dashed_name: process-entry-leader-parent-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.parent.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.parent.user.name: + dashed_name: process-entry-leader-parent-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.parent.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.parent.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.parent.user.risk.calculated_level: + dashed_name: process-entry-leader-parent-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.parent.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.parent.user.risk.calculated_score: + dashed_name: process-entry-leader-parent-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.parent.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.parent.user.risk.calculated_score_norm: + dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.parent.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.parent.user.risk.static_level: + dashed_name: process-entry-leader-parent-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.parent.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.parent.user.risk.static_score: + dashed_name: process-entry-leader-parent-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.parent.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.parent.user.risk.static_score_norm: + dashed_name: process-entry-leader-parent-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.parent.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.parent.user.roles: + dashed_name: process-entry-leader-parent-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.parent.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.parent.vpid: + dashed_name: process-entry-leader-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.entry_leader.parent.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.entry_leader.parent.working_directory: + dashed_name: process-entry-leader-parent-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.parent.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.parent.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.entry_leader.pe.architecture: + dashed_name: process-entry-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.entry_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.entry_leader.pe.company: + dashed_name: process-entry-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.entry_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.entry_leader.pe.description: + dashed_name: process-entry-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.entry_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.entry_leader.pe.file_version: + dashed_name: process-entry-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.entry_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.entry_leader.pe.go_import_hash: + dashed_name: process-entry-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.entry_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.entry_leader.pe.go_imports: + dashed_name: process-entry-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.entry_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.entry_leader.pe.go_imports_names_entropy: + dashed_name: process-entry-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.pe.go_imports_names_var_entropy: + dashed_name: process-entry-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.entry_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.entry_leader.pe.go_stripped: + dashed_name: process-entry-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.entry_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.entry_leader.pe.imphash: + dashed_name: process-entry-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.entry_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.entry_leader.pe.import_hash: + dashed_name: process-entry-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.entry_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.entry_leader.pe.imports: + dashed_name: process-entry-leader-pe-imports + description: List of imported element names and types. + flat_name: process.entry_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.entry_leader.pe.imports_names_entropy: + dashed_name: process-entry-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.entry_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.entry_leader.pe.imports_names_var_entropy: + dashed_name: process-entry-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.entry_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.entry_leader.pe.original_file_name: + dashed_name: process-entry-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.entry_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.entry_leader.pe.pehash: + dashed_name: process-entry-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.entry_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.entry_leader.pe.product: + dashed_name: process-entry-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.entry_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.entry_leader.pe.sections: + dashed_name: process-entry-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.entry_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.entry_leader.pe.sections.entropy: + dashed_name: process-entry-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.entry_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.entry_leader.pe.sections.name: + dashed_name: process-entry-leader-pe-sections-name + description: PE Section List name. + flat_name: process.entry_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.entry_leader.pe.sections.physical_size: + dashed_name: process-entry-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.entry_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.entry_leader.pe.sections.var_entropy: + dashed_name: process-entry-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.entry_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.entry_leader.pe.sections.virtual_size: + dashed_name: process-entry-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.entry_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.entry_leader.pid: + dashed_name: process-entry-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.entry_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.entry_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.entry_leader.real_group.domain: + dashed_name: process-entry-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.real_group.id: + dashed_name: process-entry-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.real_group.name: + dashed_name: process-entry-leader-real-group-name + description: Name of the group. + flat_name: process.entry_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.real_user.domain: + dashed_name: process-entry-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.real_user.email: + dashed_name: process-entry-leader-real-user-email + description: User email address. + flat_name: process.entry_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.real_user.entity.id: + dashed_name: process-entry-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.real_user.full_name: + dashed_name: process-entry-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.real_user.group.domain: + dashed_name: process-entry-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.real_user.group.id: + dashed_name: process-entry-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.real_user.group.name: + dashed_name: process-entry-leader-real-user-group-name + description: Name of the group. + flat_name: process.entry_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.real_user.hash: + dashed_name: process-entry-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.real_user.id: + dashed_name: process-entry-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.real_user.name: + dashed_name: process-entry-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.real_user.risk.calculated_level: + dashed_name: process-entry-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.real_user.risk.calculated_score: + dashed_name: process-entry-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.real_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.real_user.risk.static_level: + dashed_name: process-entry-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.real_user.risk.static_score: + dashed_name: process-entry-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.real_user.risk.static_score_norm: + dashed_name: process-entry-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.real_user.roles: + dashed_name: process-entry-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.same_as_process: + dashed_name: process-entry-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.entry_leader.saved_group.domain: + dashed_name: process-entry-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.saved_group.id: + dashed_name: process-entry-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.saved_group.name: + dashed_name: process-entry-leader-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.saved_user.domain: + dashed_name: process-entry-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.saved_user.email: + dashed_name: process-entry-leader-saved-user-email + description: User email address. + flat_name: process.entry_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.saved_user.entity.id: + dashed_name: process-entry-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.saved_user.full_name: + dashed_name: process-entry-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.saved_user.group.domain: + dashed_name: process-entry-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.saved_user.group.id: + dashed_name: process-entry-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.saved_user.group.name: + dashed_name: process-entry-leader-saved-user-group-name + description: Name of the group. + flat_name: process.entry_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.saved_user.hash: + dashed_name: process-entry-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.saved_user.id: + dashed_name: process-entry-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.saved_user.name: + dashed_name: process-entry-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.saved_user.risk.calculated_level: + dashed_name: process-entry-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.saved_user.risk.calculated_score: + dashed_name: process-entry-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.saved_user.risk.static_level: + dashed_name: process-entry-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.saved_user.risk.static_score: + dashed_name: process-entry-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.saved_user.risk.static_score_norm: + dashed_name: process-entry-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.saved_user.roles: + dashed_name: process-entry-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.start: + dashed_name: process-entry-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.entry_leader.supplemental_groups.domain: + dashed_name: process-entry-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.supplemental_groups.id: + dashed_name: process-entry-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.supplemental_groups.name: + dashed_name: process-entry-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.thread.capabilities.effective: + dashed_name: process-entry-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.entry_leader.thread.capabilities.permitted: + dashed_name: process-entry-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.entry_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.entry_leader.thread.id: + dashed_name: process-entry-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.entry_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.entry_leader.thread.name: + dashed_name: process-entry-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.entry_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.entry_leader.title: + dashed_name: process-entry-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.entry_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.entry_leader.tty: + dashed_name: process-entry-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.entry_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.entry_leader.tty.char_device.major: + dashed_name: process-entry-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.entry_leader.tty.char_device.minor: + dashed_name: process-entry-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.entry_leader.tty.columns: + dashed_name: process-entry-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.entry_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.entry_leader.tty.rows: + dashed_name: process-entry-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.entry_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.entry_leader.uptime: + dashed_name: process-entry-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.entry_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.entry_leader.user.domain: + dashed_name: process-entry-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.entry_leader.user.email: + dashed_name: process-entry-leader-user-email + description: User email address. + flat_name: process.entry_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.entry_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.entry_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.entry_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.entry_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.entry_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.entry_leader.user.entity.id: + dashed_name: process-entry-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.entry_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.entry_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.entry_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.entry_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.entry_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.entry_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.entry_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.entry_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.entry_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.entry_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.entry_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.entry_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.entry_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.entry_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.entry_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.entry_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.entry_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.entry_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-entry-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.entry_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.entry_leader.user.full_name: + dashed_name: process-entry-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.entry_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.entry_leader.user.group.domain: + dashed_name: process-entry-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.entry_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.entry_leader.user.group.id: + dashed_name: process-entry-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.user.group.name: + dashed_name: process-entry-leader-user-group-name + description: Name of the group. + flat_name: process.entry_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.user.hash: + dashed_name: process-entry-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.entry_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.entry_leader.user.id: + dashed_name: process-entry-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.user.name: + dashed_name: process-entry-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.user.risk.calculated_level: + dashed_name: process-entry-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.entry_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.entry_leader.user.risk.calculated_score: + dashed_name: process-entry-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.entry_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.entry_leader.user.risk.calculated_score_norm: + dashed_name: process-entry-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.entry_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.entry_leader.user.risk.static_level: + dashed_name: process-entry-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.entry_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.entry_leader.user.risk.static_score: + dashed_name: process-entry-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.entry_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.entry_leader.user.risk.static_score_norm: + dashed_name: process-entry-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.entry_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.entry_leader.user.roles: + dashed_name: process-entry-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.entry_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.entry_leader.vpid: + dashed_name: process-entry-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.entry_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.entry_leader.working_directory: + dashed_name: process-entry-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.entry_meta.source.address: + dashed_name: process-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.entry_meta.source.as.number: + dashed_name: process-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.entry_meta.source.as.organization.name: + dashed_name: process-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.entry_meta.source.bytes: + dashed_name: process-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.entry_meta.source.domain: + dashed_name: process-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.entry_meta.source.geo.city_name: + dashed_name: process-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.entry_meta.source.geo.continent_code: + dashed_name: process-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.entry_meta.source.geo.continent_name: + dashed_name: process-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.entry_meta.source.geo.country_iso_code: + dashed_name: process-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.entry_meta.source.geo.country_name: + dashed_name: process-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.entry_meta.source.geo.location: + dashed_name: process-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.entry_meta.source.geo.name: + dashed_name: process-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.entry_meta.source.geo.postal_code: + dashed_name: process-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.entry_meta.source.geo.region_iso_code: + dashed_name: process-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.entry_meta.source.geo.region_name: + dashed_name: process-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.entry_meta.source.geo.timezone: + dashed_name: process-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.entry_meta.source.ip: + dashed_name: process-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.entry_meta.source.mac: + dashed_name: process-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.entry_meta.source.nat.ip: + dashed_name: process-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.entry_meta.source.nat.port: + dashed_name: process-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.entry_meta.source.packets: + dashed_name: process-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.entry_meta.source.port: + dashed_name: process-entry-meta-source-port + description: Port of the source. + flat_name: process.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.entry_meta.source.registered_domain: + dashed_name: process-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.entry_meta.source.subdomain: + dashed_name: process-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.entry_meta.source.top_level_domain: + dashed_name: process-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.entry_meta.type: + dashed_name: process-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + short: The entry type for the entry session leader. + type: keyword + process.env_vars: + dashed_name: process-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.executable: + dashed_name: process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + otel: + - attribute: process.executable.path + relation: equivalent + short: Absolute path to the process executable. + type: keyword + process.exit_code: + dashed_name: process-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.exit_code + level: extended + name: exit_code + normalize: [] + short: The exit code of the process. + type: long + process.group.domain: + dashed_name: process-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group.id: + dashed_name: process-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group.name: + dashed_name: process-group-name + description: Name of the group. + flat_name: process.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.args: + dashed_name: process-group-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.group_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.group_leader.args_count: + dashed_name: process-group-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.group_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.group_leader.attested_groups.domain: + dashed_name: process-group-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.attested_groups.id: + dashed_name: process-group-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.attested_groups.name: + dashed_name: process-group-leader-attested-groups-name + description: Name of the group. + flat_name: process.group_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.attested_user.domain: + dashed_name: process-group-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.group_leader.attested_user.email: + dashed_name: process-group-leader-attested-user-email + description: User email address. + flat_name: process.group_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.group_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.group_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.group_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.group_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.group_leader.attested_user.entity.id: + dashed_name: process-group-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.group_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.group_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.group_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.group_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.group_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.group_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.group_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.group_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.group_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.group_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.group_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.group_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.group_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.group_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.group_leader.attested_user.full_name: + dashed_name: process-group-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.group_leader.attested_user.group.domain: + dashed_name: process-group-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.attested_user.group.id: + dashed_name: process-group-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.attested_user.group.name: + dashed_name: process-group-leader-attested-user-group-name + description: Name of the group. + flat_name: process.group_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.attested_user.hash: + dashed_name: process-group-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.group_leader.attested_user.id: + dashed_name: process-group-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.group_leader.attested_user.name: + dashed_name: process-group-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.group_leader.attested_user.risk.calculated_level: + dashed_name: process-group-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.group_leader.attested_user.risk.calculated_score: + dashed_name: process-group-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.group_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-group-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.group_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.group_leader.attested_user.risk.static_level: + dashed_name: process-group-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.group_leader.attested_user.risk.static_score: + dashed_name: process-group-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.group_leader.attested_user.risk.static_score_norm: + dashed_name: process-group-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.group_leader.attested_user.roles: + dashed_name: process-group-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.group_leader.code_signature.digest_algorithm: + dashed_name: process-group-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.group_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.group_leader.code_signature.exists: + dashed_name: process-group-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.group_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.group_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.group_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.group_leader.code_signature.signing_id: + dashed_name: process-group-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.group_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.group_leader.code_signature.status: + dashed_name: process-group-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.group_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.group_leader.code_signature.subject_name: + dashed_name: process-group-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.group_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.group_leader.code_signature.team_id: + dashed_name: process-group-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.group_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.group_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.group_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.group_leader.code_signature.timestamp: + dashed_name: process-group-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.group_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.group_leader.code_signature.trusted: + dashed_name: process-group-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.group_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.group_leader.code_signature.valid: + dashed_name: process-group-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.group_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.group_leader.command_line: + dashed_name: process-group-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.group_leader.command_line + level: extended + multi_fields: + - flat_name: process.group_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.group_leader.elf.architecture: + dashed_name: process-group-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.group_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.group_leader.elf.byte_order: + dashed_name: process-group-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.group_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.group_leader.elf.cpu_type: + dashed_name: process-group-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.group_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.group_leader.elf.creation_date: + dashed_name: process-group-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.group_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.group_leader.elf.exports: + dashed_name: process-group-leader-elf-exports + description: List of exported element names and types. + flat_name: process.group_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.group_leader.elf.go_import_hash: + dashed_name: process-group-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.group_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.group_leader.elf.go_imports: + dashed_name: process-group-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.group_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.group_leader.elf.go_imports_names_entropy: + dashed_name: process-group-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.group_leader.elf.go_imports_names_var_entropy: + dashed_name: process-group-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.group_leader.elf.go_stripped: + dashed_name: process-group-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.group_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.group_leader.elf.header.abi_version: + dashed_name: process-group-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.group_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.group_leader.elf.header.class: + dashed_name: process-group-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.group_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.group_leader.elf.header.data: + dashed_name: process-group-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.group_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.group_leader.elf.header.entrypoint: + dashed_name: process-group-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.group_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.group_leader.elf.header.object_version: + dashed_name: process-group-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.group_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.group_leader.elf.header.os_abi: + dashed_name: process-group-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.group_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.group_leader.elf.header.type: + dashed_name: process-group-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.group_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.group_leader.elf.header.version: + dashed_name: process-group-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.group_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.group_leader.elf.import_hash: + dashed_name: process-group-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.group_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.group_leader.elf.imports: + dashed_name: process-group-leader-elf-imports + description: List of imported element names and types. + flat_name: process.group_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.group_leader.elf.imports_names_entropy: + dashed_name: process-group-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.group_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.group_leader.elf.imports_names_var_entropy: + dashed_name: process-group-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.group_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.group_leader.elf.sections: + dashed_name: process-group-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.group_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.group_leader.elf.sections.chi2: + dashed_name: process-group-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.group_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.group_leader.elf.sections.entropy: + dashed_name: process-group-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.group_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.group_leader.elf.sections.flags: + dashed_name: process-group-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.group_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.group_leader.elf.sections.name: + dashed_name: process-group-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.group_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.group_leader.elf.sections.physical_offset: + dashed_name: process-group-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.group_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.group_leader.elf.sections.physical_size: + dashed_name: process-group-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.group_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.group_leader.elf.sections.type: + dashed_name: process-group-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.group_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.group_leader.elf.sections.var_entropy: + dashed_name: process-group-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.group_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.group_leader.elf.sections.virtual_address: + dashed_name: process-group-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.group_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.group_leader.elf.sections.virtual_size: + dashed_name: process-group-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.group_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.group_leader.elf.segments: + dashed_name: process-group-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.group_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.group_leader.elf.segments.sections: + dashed_name: process-group-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.group_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.group_leader.elf.segments.type: + dashed_name: process-group-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.group_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.group_leader.elf.shared_libraries: + dashed_name: process-group-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.group_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.group_leader.elf.telfhash: + dashed_name: process-group-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.group_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.group_leader.end: + dashed_name: process-group-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.group_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.group_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.group_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.group_leader.entity_id: + dashed_name: process-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.group_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.group_leader.entry_meta.source.address: + dashed_name: process-group-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.group_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.group_leader.entry_meta.source.as.number: + dashed_name: process-group-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.group_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.group_leader.entry_meta.source.as.organization.name: + dashed_name: process-group-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.group_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.group_leader.entry_meta.source.bytes: + dashed_name: process-group-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.group_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.group_leader.entry_meta.source.domain: + dashed_name: process-group-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.group_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.group_leader.entry_meta.source.geo.city_name: + dashed_name: process-group-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.group_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.group_leader.entry_meta.source.geo.continent_code: + dashed_name: process-group-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.group_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.group_leader.entry_meta.source.geo.continent_name: + dashed_name: process-group-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.group_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.group_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.group_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.group_leader.entry_meta.source.geo.country_name: + dashed_name: process-group-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.group_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.group_leader.entry_meta.source.geo.location: + dashed_name: process-group-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.group_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.group_leader.entry_meta.source.geo.name: + dashed_name: process-group-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.group_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.group_leader.entry_meta.source.geo.postal_code: + dashed_name: process-group-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.group_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.group_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.group_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.group_leader.entry_meta.source.geo.region_name: + dashed_name: process-group-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.group_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.group_leader.entry_meta.source.geo.timezone: + dashed_name: process-group-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.group_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.group_leader.entry_meta.source.ip: + dashed_name: process-group-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.group_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.group_leader.entry_meta.source.mac: + dashed_name: process-group-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.group_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.group_leader.entry_meta.source.nat.ip: + dashed_name: process-group-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.group_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.group_leader.entry_meta.source.nat.port: + dashed_name: process-group-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.group_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.group_leader.entry_meta.source.packets: + dashed_name: process-group-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.group_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.group_leader.entry_meta.source.port: + dashed_name: process-group-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.group_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.group_leader.entry_meta.source.registered_domain: + dashed_name: process-group-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.group_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.group_leader.entry_meta.source.subdomain: + dashed_name: process-group-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.group_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.group_leader.entry_meta.source.top_level_domain: + dashed_name: process-group-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.group_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.group_leader.entry_meta.type: + dashed_name: process-group-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.group_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.group_leader.env_vars: + dashed_name: process-group-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.group_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.group_leader.executable: + dashed_name: process-group-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.group_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.group_leader.exit_code: + dashed_name: process-group-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.group_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.group_leader.group.domain: + dashed_name: process-group-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.group.id: + dashed_name: process-group-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.group.name: + dashed_name: process-group-leader-group-name + description: Name of the group. + flat_name: process.group_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.group_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.group_leader.hash.md5: + dashed_name: process-group-leader-hash-md5 + description: MD5 hash. + flat_name: process.group_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.group_leader.hash.sha1: + dashed_name: process-group-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.group_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.group_leader.hash.sha256: + dashed_name: process-group-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.group_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.group_leader.hash.sha384: + dashed_name: process-group-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.group_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.group_leader.hash.sha512: + dashed_name: process-group-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.group_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.group_leader.hash.ssdeep: + dashed_name: process-group-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.group_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.group_leader.hash.tlsh: + dashed_name: process-group-leader-hash-tlsh + description: TLSH hash. + flat_name: process.group_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.group_leader.interactive: + dashed_name: process-group-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.group_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.group_leader.io: + dashed_name: process-group-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.group_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.group_leader.io.bytes_skipped: + dashed_name: process-group-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.group_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.group_leader.io.bytes_skipped.length: + dashed_name: process-group-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.group_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.group_leader.io.bytes_skipped.offset: + dashed_name: process-group-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.group_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.group_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-group-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.group_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.group_leader.io.text: + dashed_name: process-group-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.group_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.group_leader.io.total_bytes_captured: + dashed_name: process-group-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.group_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.group_leader.io.total_bytes_skipped: + dashed_name: process-group-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.group_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.group_leader.io.type: + dashed_name: process-group-leader-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.group_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.group_leader.macho.go_import_hash: + dashed_name: process-group-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.group_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.group_leader.macho.go_imports: + dashed_name: process-group-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.group_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.group_leader.macho.go_imports_names_entropy: + dashed_name: process-group-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.group_leader.macho.go_imports_names_var_entropy: + dashed_name: process-group-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.group_leader.macho.go_stripped: + dashed_name: process-group-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.group_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.group_leader.macho.import_hash: + dashed_name: process-group-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.group_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.group_leader.macho.imports: + dashed_name: process-group-leader-macho-imports + description: List of imported element names and types. + flat_name: process.group_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.group_leader.macho.imports_names_entropy: + dashed_name: process-group-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.group_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.group_leader.macho.imports_names_var_entropy: + dashed_name: process-group-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.group_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.group_leader.macho.sections: + dashed_name: process-group-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.group_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.group_leader.macho.sections.entropy: + dashed_name: process-group-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.group_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.group_leader.macho.sections.name: + dashed_name: process-group-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.group_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.group_leader.macho.sections.physical_size: + dashed_name: process-group-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.group_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.group_leader.macho.sections.var_entropy: + dashed_name: process-group-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.group_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.group_leader.macho.sections.virtual_size: + dashed_name: process-group-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.group_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.group_leader.macho.symhash: + dashed_name: process-group-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.group_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.group_leader.name: + dashed_name: process-group-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.group_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.group_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.group_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.group_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.group_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.group_leader.pe.architecture: + dashed_name: process-group-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.group_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.group_leader.pe.company: + dashed_name: process-group-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.group_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.group_leader.pe.description: + dashed_name: process-group-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.group_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.group_leader.pe.file_version: + dashed_name: process-group-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.group_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.group_leader.pe.go_import_hash: + dashed_name: process-group-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.group_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.group_leader.pe.go_imports: + dashed_name: process-group-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.group_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.group_leader.pe.go_imports_names_entropy: + dashed_name: process-group-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.group_leader.pe.go_imports_names_var_entropy: + dashed_name: process-group-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.group_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.group_leader.pe.go_stripped: + dashed_name: process-group-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.group_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.group_leader.pe.imphash: + dashed_name: process-group-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.group_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.group_leader.pe.import_hash: + dashed_name: process-group-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.group_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.group_leader.pe.imports: + dashed_name: process-group-leader-pe-imports + description: List of imported element names and types. + flat_name: process.group_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.group_leader.pe.imports_names_entropy: + dashed_name: process-group-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.group_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.group_leader.pe.imports_names_var_entropy: + dashed_name: process-group-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.group_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.group_leader.pe.original_file_name: + dashed_name: process-group-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.group_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.group_leader.pe.pehash: + dashed_name: process-group-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.group_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.group_leader.pe.product: + dashed_name: process-group-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.group_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.group_leader.pe.sections: + dashed_name: process-group-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.group_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.group_leader.pe.sections.entropy: + dashed_name: process-group-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.group_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.group_leader.pe.sections.name: + dashed_name: process-group-leader-pe-sections-name + description: PE Section List name. + flat_name: process.group_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.group_leader.pe.sections.physical_size: + dashed_name: process-group-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.group_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.group_leader.pe.sections.var_entropy: + dashed_name: process-group-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.group_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.group_leader.pe.sections.virtual_size: + dashed_name: process-group-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.group_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.group_leader.pid: + dashed_name: process-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.group_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + otel: + - relation: match + short: Process id. + type: long + process.group_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.group_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.group_leader.real_group.domain: + dashed_name: process-group-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.real_group.id: + dashed_name: process-group-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.real_group.name: + dashed_name: process-group-leader-real-group-name + description: Name of the group. + flat_name: process.group_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.real_user.domain: + dashed_name: process-group-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.group_leader.real_user.email: + dashed_name: process-group-leader-real-user-email + description: User email address. + flat_name: process.group_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.group_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.group_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.group_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.group_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.group_leader.real_user.entity.id: + dashed_name: process-group-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.group_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.group_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.group_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.group_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.group_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.group_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.group_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.group_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.group_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.group_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.group_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.group_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.group_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.group_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.group_leader.real_user.full_name: + dashed_name: process-group-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.group_leader.real_user.group.domain: + dashed_name: process-group-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.real_user.group.id: + dashed_name: process-group-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.real_user.group.name: + dashed_name: process-group-leader-real-user-group-name + description: Name of the group. + flat_name: process.group_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.real_user.hash: + dashed_name: process-group-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.group_leader.real_user.id: + dashed_name: process-group-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.group_leader.real_user.name: + dashed_name: process-group-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.group_leader.real_user.risk.calculated_level: + dashed_name: process-group-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.group_leader.real_user.risk.calculated_score: + dashed_name: process-group-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.group_leader.real_user.risk.calculated_score_norm: + dashed_name: process-group-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.group_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.group_leader.real_user.risk.static_level: + dashed_name: process-group-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.group_leader.real_user.risk.static_score: + dashed_name: process-group-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.group_leader.real_user.risk.static_score_norm: + dashed_name: process-group-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.group_leader.real_user.roles: + dashed_name: process-group-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.group_leader.same_as_process: + dashed_name: process-group-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.group_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.group_leader.saved_group.domain: + dashed_name: process-group-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.saved_group.id: + dashed_name: process-group-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.saved_group.name: + dashed_name: process-group-leader-saved-group-name + description: Name of the group. + flat_name: process.group_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.saved_user.domain: + dashed_name: process-group-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.group_leader.saved_user.email: + dashed_name: process-group-leader-saved-user-email + description: User email address. + flat_name: process.group_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.group_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.group_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.group_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.group_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.group_leader.saved_user.entity.id: + dashed_name: process-group-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.group_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.group_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.group_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.group_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.group_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.group_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.group_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.group_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.group_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.group_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.group_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.group_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.group_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.group_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.group_leader.saved_user.full_name: + dashed_name: process-group-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.group_leader.saved_user.group.domain: + dashed_name: process-group-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.saved_user.group.id: + dashed_name: process-group-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.saved_user.group.name: + dashed_name: process-group-leader-saved-user-group-name + description: Name of the group. + flat_name: process.group_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.saved_user.hash: + dashed_name: process-group-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.group_leader.saved_user.id: + dashed_name: process-group-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.group_leader.saved_user.name: + dashed_name: process-group-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.group_leader.saved_user.risk.calculated_level: + dashed_name: process-group-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.group_leader.saved_user.risk.calculated_score: + dashed_name: process-group-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.group_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-group-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.group_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.group_leader.saved_user.risk.static_level: + dashed_name: process-group-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.group_leader.saved_user.risk.static_score: + dashed_name: process-group-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.group_leader.saved_user.risk.static_score_norm: + dashed_name: process-group-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.group_leader.saved_user.roles: + dashed_name: process-group-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.group_leader.start: + dashed_name: process-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.group_leader.supplemental_groups.domain: + dashed_name: process-group-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.supplemental_groups.id: + dashed_name: process-group-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.supplemental_groups.name: + dashed_name: process-group-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.group_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.thread.capabilities.effective: + dashed_name: process-group-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.group_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.group_leader.thread.capabilities.permitted: + dashed_name: process-group-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.group_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.group_leader.thread.id: + dashed_name: process-group-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.group_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.group_leader.thread.name: + dashed_name: process-group-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.group_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.group_leader.title: + dashed_name: process-group-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.group_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.group_leader.tty: + dashed_name: process-group-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.group_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.group_leader.tty.char_device.major: + dashed_name: process-group-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.group_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.group_leader.tty.char_device.minor: + dashed_name: process-group-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.group_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.group_leader.tty.columns: + dashed_name: process-group-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.group_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.group_leader.tty.rows: + dashed_name: process-group-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.group_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.group_leader.uptime: + dashed_name: process-group-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.group_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.group_leader.user.domain: + dashed_name: process-group-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.group_leader.user.email: + dashed_name: process-group-leader-user-email + description: User email address. + flat_name: process.group_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.group_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.group_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.group_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.group_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.group_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.group_leader.user.entity.id: + dashed_name: process-group-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.group_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.group_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.group_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.group_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.group_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.group_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.group_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.group_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.group_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.group_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.group_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.group_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.group_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.group_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.group_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.group_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.group_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.group_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-group-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.group_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.group_leader.user.full_name: + dashed_name: process-group-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.group_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.group_leader.user.group.domain: + dashed_name: process-group-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.group_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.group_leader.user.group.id: + dashed_name: process-group-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.user.group.name: + dashed_name: process-group-leader-user-group-name + description: Name of the group. + flat_name: process.group_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.user.hash: + dashed_name: process-group-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.group_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.group_leader.user.id: + dashed_name: process-group-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.group_leader.user.name: + dashed_name: process-group-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.group_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.group_leader.user.risk.calculated_level: + dashed_name: process-group-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.group_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.group_leader.user.risk.calculated_score: + dashed_name: process-group-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.group_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.group_leader.user.risk.calculated_score_norm: + dashed_name: process-group-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.group_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.group_leader.user.risk.static_level: + dashed_name: process-group-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.group_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.group_leader.user.risk.static_score: + dashed_name: process-group-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.group_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.group_leader.user.risk.static_score_norm: + dashed_name: process-group-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.group_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.group_leader.user.roles: + dashed_name: process-group-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.group_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.group_leader.vpid: + dashed_name: process-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.group_leader.working_directory: + dashed_name: process-group-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.group_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.group_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.hash.md5: + dashed_name: process-hash-md5 + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.hash.sha1: + dashed_name: process-hash-sha1 + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.hash.sha256: + dashed_name: process-hash-sha256 + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.hash.sha384: + dashed_name: process-hash-sha384 + description: SHA384 hash. + flat_name: process.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.hash.sha512: + dashed_name: process-hash-sha512 + description: SHA512 hash. + flat_name: process.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.hash.tlsh: + dashed_name: process-hash-tlsh + description: TLSH hash. + flat_name: process.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.interactive: + dashed_name: process-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.interactive + level: extended + name: interactive + normalize: [] + otel: + - relation: match + short: Whether the process is connected to an interactive shell. + type: boolean + process.io: + dashed_name: process-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.io + level: extended + name: io + normalize: [] + short: A chunk of input or output (IO) from a single process. + type: object + process.io.bytes_skipped: + dashed_name: process-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.io.bytes_skipped.length: + dashed_name: process-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + short: The length of bytes skipped. + type: long + process.io.bytes_skipped.offset: + dashed_name: process-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.io.max_bytes_per_process_exceeded: + dashed_name: process-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.io.text: + dashed_name: process-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.io.text + level: extended + name: io.text + normalize: [] + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.io.total_bytes_captured: + dashed_name: process-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + short: The total number of bytes captured in this event. + type: long + process.io.total_bytes_skipped: + dashed_name: process-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.io.type: + dashed_name: process-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.macho.go_import_hash: + dashed_name: process-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.macho.go_imports: + dashed_name: process-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.macho.go_imports_names_entropy: + dashed_name: process-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.macho.go_imports_names_var_entropy: + dashed_name: process-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.macho.go_stripped: + dashed_name: process-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.macho.import_hash: + dashed_name: process-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.macho.imports: + dashed_name: process-macho-imports + description: List of imported element names and types. + flat_name: process.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.macho.imports_names_entropy: + dashed_name: process-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.macho.imports_names_var_entropy: + dashed_name: process-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.macho.sections: + dashed_name: process-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.macho.sections.entropy: + dashed_name: process-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.macho.sections.name: + dashed_name: process-macho-sections-name + description: Mach-O Section List name. + flat_name: process.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.macho.sections.physical_size: + dashed_name: process-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.macho.sections.var_entropy: + dashed_name: process-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.macho.sections.virtual_size: + dashed_name: process-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.macho.symhash: + dashed_name: process-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.name: + dashed_name: process-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.name.text + name: text + type: match_only_text + name: name + normalize: [] + short: Process name. + type: keyword + process.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the process's executable file is hosted. + type: keyword + process.parent.args: + dashed_name: process-parent-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.parent.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.parent.args_count: + dashed_name: process-parent-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.parent.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.parent.attested_groups.domain: + dashed_name: process-parent-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.attested_groups.id: + dashed_name: process-parent-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.attested_groups.name: + dashed_name: process-parent-attested-groups-name + description: Name of the group. + flat_name: process.parent.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.attested_user.domain: + dashed_name: process-parent-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.attested_user.email: + dashed_name: process-parent-attested-user-email + description: User email address. + flat_name: process.parent.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.attested_user.entity.id: + dashed_name: process-parent-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.attested_user.full_name: + dashed_name: process-parent-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.attested_user.group.domain: + dashed_name: process-parent-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.attested_user.group.id: + dashed_name: process-parent-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.attested_user.group.name: + dashed_name: process-parent-attested-user-group-name + description: Name of the group. + flat_name: process.parent.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.attested_user.hash: + dashed_name: process-parent-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.attested_user.id: + dashed_name: process-parent-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.attested_user.name: + dashed_name: process-parent-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.attested_user.risk.calculated_level: + dashed_name: process-parent-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.attested_user.risk.calculated_score: + dashed_name: process-parent-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.attested_user.risk.calculated_score_norm: + dashed_name: process-parent-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.attested_user.risk.static_level: + dashed_name: process-parent-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.attested_user.risk.static_score: + dashed_name: process-parent-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.attested_user.risk.static_score_norm: + dashed_name: process-parent-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.attested_user.roles: + dashed_name: process-parent-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.code_signature.digest_algorithm: + dashed_name: process-parent-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.parent.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.parent.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.parent.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.parent.code_signature.timestamp: + dashed_name: process-parent-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.parent.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.parent.command_line: + dashed_name: process-parent-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.parent.command_line + level: extended + multi_fields: + - flat_name: process.parent.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.parent.elf.exports: + dashed_name: process-parent-elf-exports + description: List of exported element names and types. + flat_name: process.parent.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.parent.elf.go_import_hash: + dashed_name: process-parent-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.parent.elf.go_imports: + dashed_name: process-parent-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.parent.elf.go_imports_names_entropy: + dashed_name: process-parent-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.parent.elf.go_imports_names_var_entropy: + dashed_name: process-parent-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.parent.elf.go_stripped: + dashed_name: process-parent-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.parent.elf.import_hash: + dashed_name: process-parent-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.parent.elf.imports: + dashed_name: process-parent-elf-imports + description: List of imported element names and types. + flat_name: process.parent.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.parent.elf.imports_names_entropy: + dashed_name: process-parent-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.parent.elf.imports_names_var_entropy: + dashed_name: process-parent-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.parent.elf.sections: + dashed_name: process-parent-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.parent.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.parent.elf.sections.var_entropy: + dashed_name: process-parent-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.parent.elf.segments: + dashed_name: process-parent-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.parent.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.parent.end: + dashed_name: process-parent-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.parent.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-parent-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.parent.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.parent.entity_id: + dashed_name: process-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.parent.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.parent.entry_meta.source.address: + dashed_name: process-parent-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.parent.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.parent.entry_meta.source.as.number: + dashed_name: process-parent-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.parent.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.parent.entry_meta.source.as.organization.name: + dashed_name: process-parent-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.parent.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.parent.entry_meta.source.bytes: + dashed_name: process-parent-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.parent.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.parent.entry_meta.source.domain: + dashed_name: process-parent-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.parent.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.parent.entry_meta.source.geo.city_name: + dashed_name: process-parent-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.parent.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.parent.entry_meta.source.geo.continent_code: + dashed_name: process-parent-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.parent.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.parent.entry_meta.source.geo.continent_name: + dashed_name: process-parent-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.parent.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.parent.entry_meta.source.geo.country_iso_code: + dashed_name: process-parent-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.parent.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.parent.entry_meta.source.geo.country_name: + dashed_name: process-parent-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.parent.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.parent.entry_meta.source.geo.location: + dashed_name: process-parent-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.parent.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.parent.entry_meta.source.geo.name: + dashed_name: process-parent-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.parent.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.parent.entry_meta.source.geo.postal_code: + dashed_name: process-parent-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.parent.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.parent.entry_meta.source.geo.region_iso_code: + dashed_name: process-parent-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.parent.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.parent.entry_meta.source.geo.region_name: + dashed_name: process-parent-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.parent.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.parent.entry_meta.source.geo.timezone: + dashed_name: process-parent-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.parent.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.parent.entry_meta.source.ip: + dashed_name: process-parent-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.parent.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.parent.entry_meta.source.mac: + dashed_name: process-parent-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.parent.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.parent.entry_meta.source.nat.ip: + dashed_name: process-parent-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.parent.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.parent.entry_meta.source.nat.port: + dashed_name: process-parent-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.parent.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.parent.entry_meta.source.packets: + dashed_name: process-parent-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.parent.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.parent.entry_meta.source.port: + dashed_name: process-parent-entry-meta-source-port + description: Port of the source. + flat_name: process.parent.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.parent.entry_meta.source.registered_domain: + dashed_name: process-parent-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.parent.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.parent.entry_meta.source.subdomain: + dashed_name: process-parent-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.parent.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.parent.entry_meta.source.top_level_domain: + dashed_name: process-parent-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.parent.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.parent.entry_meta.type: + dashed_name: process-parent-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.parent.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.parent.env_vars: + dashed_name: process-parent-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.parent.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.parent.executable: + dashed_name: process-parent-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.parent.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.parent.exit_code: + dashed_name: process-parent-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.parent.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.parent.group.domain: + dashed_name: process-parent-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group.id: + dashed_name: process-parent-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group.name: + dashed_name: process-parent-group-name + description: Name of the group. + flat_name: process.parent.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.args: + dashed_name: process-parent-group-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.parent.group_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.parent.group_leader.args_count: + dashed_name: process-parent-group-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.parent.group_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.parent.group_leader.attested_groups.domain: + dashed_name: process-parent-group-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.attested_groups.id: + dashed_name: process-parent-group-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.attested_groups.name: + dashed_name: process-parent-group-leader-attested-groups-name + description: Name of the group. + flat_name: process.parent.group_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.attested_user.domain: + dashed_name: process-parent-group-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.group_leader.attested_user.email: + dashed_name: process-parent-group-leader-attested-user-email + description: User email address. + flat_name: process.parent.group_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.group_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.group_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.group_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.group_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.group_leader.attested_user.entity.id: + dashed_name: process-parent-group-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.group_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.group_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.group_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.group_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.group_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.group_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.group_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.group_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.group_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.group_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.group_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.group_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.group_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.group_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.group_leader.attested_user.full_name: + dashed_name: process-parent-group-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.group_leader.attested_user.group.domain: + dashed_name: process-parent-group-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.attested_user.group.id: + dashed_name: process-parent-group-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.attested_user.group.name: + dashed_name: process-parent-group-leader-attested-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.attested_user.hash: + dashed_name: process-parent-group-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.group_leader.attested_user.id: + dashed_name: process-parent-group-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.group_leader.attested_user.name: + dashed_name: process-parent-group-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.group_leader.attested_user.risk.calculated_level: + dashed_name: process-parent-group-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.group_leader.attested_user.risk.calculated_score: + dashed_name: process-parent-group-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.group_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.group_leader.attested_user.risk.static_level: + dashed_name: process-parent-group-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.group_leader.attested_user.risk.static_score: + dashed_name: process-parent-group-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.group_leader.attested_user.risk.static_score_norm: + dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.group_leader.attested_user.roles: + dashed_name: process-parent-group-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.code_signature.digest_algorithm: + dashed_name: process-parent-group-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.parent.group_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.parent.group_leader.code_signature.exists: + dashed_name: process-parent-group-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.group_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.parent.group_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.group_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.parent.group_leader.code_signature.signing_id: + dashed_name: process-parent-group-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.group_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.parent.group_leader.code_signature.status: + dashed_name: process-parent-group-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.group_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.parent.group_leader.code_signature.subject_name: + dashed_name: process-parent-group-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.group_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.parent.group_leader.code_signature.team_id: + dashed_name: process-parent-group-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.group_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.parent.group_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.parent.group_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.parent.group_leader.code_signature.timestamp: + dashed_name: process-parent-group-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.parent.group_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.parent.group_leader.code_signature.trusted: + dashed_name: process-parent-group-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.group_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.parent.group_leader.code_signature.valid: + dashed_name: process-parent-group-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.group_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.parent.group_leader.command_line: + dashed_name: process-parent-group-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.parent.group_leader.command_line + level: extended + multi_fields: + - flat_name: process.parent.group_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.parent.group_leader.elf.architecture: + dashed_name: process-parent-group-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.group_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.parent.group_leader.elf.byte_order: + dashed_name: process-parent-group-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.parent.group_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.parent.group_leader.elf.cpu_type: + dashed_name: process-parent-group-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.group_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.parent.group_leader.elf.creation_date: + dashed_name: process-parent-group-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.group_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.parent.group_leader.elf.exports: + dashed_name: process-parent-group-leader-elf-exports + description: List of exported element names and types. + flat_name: process.parent.group_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.parent.group_leader.elf.go_import_hash: + dashed_name: process-parent-group-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.group_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.parent.group_leader.elf.go_imports: + dashed_name: process-parent-group-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.group_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.parent.group_leader.elf.go_imports_names_entropy: + dashed_name: process-parent-group-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.parent.group_leader.elf.go_imports_names_var_entropy: + dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.parent.group_leader.elf.go_stripped: + dashed_name: process-parent-group-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.group_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.parent.group_leader.elf.header.abi_version: + dashed_name: process-parent-group-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.group_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.parent.group_leader.elf.header.class: + dashed_name: process-parent-group-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.group_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.parent.group_leader.elf.header.data: + dashed_name: process-parent-group-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.group_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.parent.group_leader.elf.header.entrypoint: + dashed_name: process-parent-group-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.group_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.parent.group_leader.elf.header.object_version: + dashed_name: process-parent-group-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.group_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.parent.group_leader.elf.header.os_abi: + dashed_name: process-parent-group-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.group_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.parent.group_leader.elf.header.type: + dashed_name: process-parent-group-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.group_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.parent.group_leader.elf.header.version: + dashed_name: process-parent-group-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.group_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.parent.group_leader.elf.import_hash: + dashed_name: process-parent-group-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.group_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.parent.group_leader.elf.imports: + dashed_name: process-parent-group-leader-elf-imports + description: List of imported element names and types. + flat_name: process.parent.group_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.parent.group_leader.elf.imports_names_entropy: + dashed_name: process-parent-group-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.group_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.parent.group_leader.elf.imports_names_var_entropy: + dashed_name: process-parent-group-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.group_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.parent.group_leader.elf.sections: + dashed_name: process-parent-group-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.parent.group_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.parent.group_leader.elf.sections.chi2: + dashed_name: process-parent-group-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.group_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.parent.group_leader.elf.sections.entropy: + dashed_name: process-parent-group-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.parent.group_leader.elf.sections.flags: + dashed_name: process-parent-group-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.group_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.parent.group_leader.elf.sections.name: + dashed_name: process-parent-group-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.group_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.parent.group_leader.elf.sections.physical_offset: + dashed_name: process-parent-group-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.group_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.parent.group_leader.elf.sections.physical_size: + dashed_name: process-parent-group-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.group_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.parent.group_leader.elf.sections.type: + dashed_name: process-parent-group-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.group_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.parent.group_leader.elf.sections.var_entropy: + dashed_name: process-parent-group-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.parent.group_leader.elf.sections.virtual_address: + dashed_name: process-parent-group-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.group_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.parent.group_leader.elf.sections.virtual_size: + dashed_name: process-parent-group-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.group_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.parent.group_leader.elf.segments: + dashed_name: process-parent-group-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.parent.group_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.parent.group_leader.elf.segments.sections: + dashed_name: process-parent-group-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.group_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.parent.group_leader.elf.segments.type: + dashed_name: process-parent-group-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.group_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.parent.group_leader.elf.shared_libraries: + dashed_name: process-parent-group-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.parent.group_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.parent.group_leader.elf.telfhash: + dashed_name: process-parent-group-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.parent.group_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.parent.group_leader.end: + dashed_name: process-parent-group-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.group_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.parent.group_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.parent.group_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.parent.group_leader.entity_id: + dashed_name: process-parent-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.parent.group_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.parent.group_leader.entry_meta.source.address: + dashed_name: process-parent-group-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.parent.group_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.parent.group_leader.entry_meta.source.as.number: + dashed_name: process-parent-group-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.parent.group_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.parent.group_leader.entry_meta.source.as.organization.name: + dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.parent.group_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.parent.group_leader.entry_meta.source.bytes: + dashed_name: process-parent-group-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.parent.group_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.parent.group_leader.entry_meta.source.domain: + dashed_name: process-parent-group-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.parent.group_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.parent.group_leader.entry_meta.source.geo.city_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.parent.group_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.parent.group_leader.entry_meta.source.geo.continent_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.parent.group_leader.entry_meta.source.geo.continent_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.parent.group_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.parent.group_leader.entry_meta.source.geo.country_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.parent.group_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.parent.group_leader.entry_meta.source.geo.location: + dashed_name: process-parent-group-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.parent.group_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.parent.group_leader.entry_meta.source.geo.name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.parent.group_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.parent.group_leader.entry_meta.source.geo.postal_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.parent.group_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.parent.group_leader.entry_meta.source.geo.region_name: + dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.parent.group_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.parent.group_leader.entry_meta.source.geo.timezone: + dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.parent.group_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.parent.group_leader.entry_meta.source.ip: + dashed_name: process-parent-group-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.parent.group_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.parent.group_leader.entry_meta.source.mac: + dashed_name: process-parent-group-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.parent.group_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.parent.group_leader.entry_meta.source.nat.ip: + dashed_name: process-parent-group-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.parent.group_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.parent.group_leader.entry_meta.source.nat.port: + dashed_name: process-parent-group-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.parent.group_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.parent.group_leader.entry_meta.source.packets: + dashed_name: process-parent-group-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.parent.group_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.parent.group_leader.entry_meta.source.port: + dashed_name: process-parent-group-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.parent.group_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.parent.group_leader.entry_meta.source.registered_domain: + dashed_name: process-parent-group-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.parent.group_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.parent.group_leader.entry_meta.source.subdomain: + dashed_name: process-parent-group-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.parent.group_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.parent.group_leader.entry_meta.source.top_level_domain: + dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.parent.group_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.parent.group_leader.entry_meta.type: + dashed_name: process-parent-group-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.parent.group_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.parent.group_leader.env_vars: + dashed_name: process-parent-group-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.parent.group_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.executable: + dashed_name: process-parent-group-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.parent.group_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.parent.group_leader.exit_code: + dashed_name: process-parent-group-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.parent.group_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.parent.group_leader.group.domain: + dashed_name: process-parent-group-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.group.id: + dashed_name: process-parent-group-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.group.name: + dashed_name: process-parent-group-leader-group-name + description: Name of the group. + flat_name: process.parent.group_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.group_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.parent.group_leader.hash.md5: + dashed_name: process-parent-group-leader-hash-md5 + description: MD5 hash. + flat_name: process.parent.group_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.parent.group_leader.hash.sha1: + dashed_name: process-parent-group-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.parent.group_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.parent.group_leader.hash.sha256: + dashed_name: process-parent-group-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.parent.group_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.parent.group_leader.hash.sha384: + dashed_name: process-parent-group-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.parent.group_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.parent.group_leader.hash.sha512: + dashed_name: process-parent-group-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.parent.group_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.parent.group_leader.hash.ssdeep: + dashed_name: process-parent-group-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.group_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.parent.group_leader.hash.tlsh: + dashed_name: process-parent-group-leader-hash-tlsh + description: TLSH hash. + flat_name: process.parent.group_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.parent.group_leader.interactive: + dashed_name: process-parent-group-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.parent.group_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.parent.group_leader.io: + dashed_name: process-parent-group-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.parent.group_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.parent.group_leader.io.bytes_skipped: + dashed_name: process-parent-group-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.parent.group_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.parent.group_leader.io.bytes_skipped.length: + dashed_name: process-parent-group-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.parent.group_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.parent.group_leader.io.bytes_skipped.offset: + dashed_name: process-parent-group-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.parent.group_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.parent.group_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.parent.group_leader.io.text: + dashed_name: process-parent-group-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.parent.group_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.parent.group_leader.io.total_bytes_captured: + dashed_name: process-parent-group-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.parent.group_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.parent.group_leader.io.total_bytes_skipped: + dashed_name: process-parent-group-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.parent.group_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.parent.group_leader.io.type: + dashed_name: process-parent-group-leader-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.parent.group_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.parent.group_leader.macho.go_import_hash: + dashed_name: process-parent-group-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.group_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.parent.group_leader.macho.go_imports: + dashed_name: process-parent-group-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.group_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.parent.group_leader.macho.go_imports_names_entropy: + dashed_name: process-parent-group-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.parent.group_leader.macho.go_imports_names_var_entropy: + dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.parent.group_leader.macho.go_stripped: + dashed_name: process-parent-group-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.group_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.parent.group_leader.macho.import_hash: + dashed_name: process-parent-group-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.group_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.parent.group_leader.macho.imports: + dashed_name: process-parent-group-leader-macho-imports + description: List of imported element names and types. + flat_name: process.parent.group_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.parent.group_leader.macho.imports_names_entropy: + dashed_name: process-parent-group-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.group_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.parent.group_leader.macho.imports_names_var_entropy: + dashed_name: process-parent-group-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.group_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.parent.group_leader.macho.sections: + dashed_name: process-parent-group-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.parent.group_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.parent.group_leader.macho.sections.entropy: + dashed_name: process-parent-group-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.parent.group_leader.macho.sections.name: + dashed_name: process-parent-group-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.parent.group_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.parent.group_leader.macho.sections.physical_size: + dashed_name: process-parent-group-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.parent.group_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.parent.group_leader.macho.sections.var_entropy: + dashed_name: process-parent-group-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.parent.group_leader.macho.sections.virtual_size: + dashed_name: process-parent-group-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.group_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.parent.group_leader.macho.symhash: + dashed_name: process-parent-group-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.parent.group_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.parent.group_leader.name: + dashed_name: process-parent-group-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.parent.group_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.parent.group_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.parent.group_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.parent.group_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.parent.group_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.parent.group_leader.pe.architecture: + dashed_name: process-parent-group-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.parent.group_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.parent.group_leader.pe.company: + dashed_name: process-parent-group-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.parent.group_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.parent.group_leader.pe.description: + dashed_name: process-parent-group-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.group_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.parent.group_leader.pe.file_version: + dashed_name: process-parent-group-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.group_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.parent.group_leader.pe.go_import_hash: + dashed_name: process-parent-group-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.group_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.parent.group_leader.pe.go_imports: + dashed_name: process-parent-group-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.group_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.parent.group_leader.pe.go_imports_names_entropy: + dashed_name: process-parent-group-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.parent.group_leader.pe.go_imports_names_var_entropy: + dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.parent.group_leader.pe.go_stripped: + dashed_name: process-parent-group-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.group_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.parent.group_leader.pe.imphash: + dashed_name: process-parent-group-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.group_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.parent.group_leader.pe.import_hash: + dashed_name: process-parent-group-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.group_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.parent.group_leader.pe.imports: + dashed_name: process-parent-group-leader-pe-imports + description: List of imported element names and types. + flat_name: process.parent.group_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.parent.group_leader.pe.imports_names_entropy: + dashed_name: process-parent-group-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.group_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.parent.group_leader.pe.imports_names_var_entropy: + dashed_name: process-parent-group-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.group_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.parent.group_leader.pe.original_file_name: + dashed_name: process-parent-group-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.group_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.parent.group_leader.pe.pehash: + dashed_name: process-parent-group-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.parent.group_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.parent.group_leader.pe.product: + dashed_name: process-parent-group-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.parent.group_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.parent.group_leader.pe.sections: + dashed_name: process-parent-group-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.parent.group_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.parent.group_leader.pe.sections.entropy: + dashed_name: process-parent-group-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.parent.group_leader.pe.sections.name: + dashed_name: process-parent-group-leader-pe-sections-name + description: PE Section List name. + flat_name: process.parent.group_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.parent.group_leader.pe.sections.physical_size: + dashed_name: process-parent-group-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.parent.group_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.parent.group_leader.pe.sections.var_entropy: + dashed_name: process-parent-group-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.group_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.parent.group_leader.pe.sections.virtual_size: + dashed_name: process-parent-group-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.group_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.parent.group_leader.pid: + dashed_name: process-parent-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.parent.group_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.parent.group_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.parent.group_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.parent.group_leader.real_group.domain: + dashed_name: process-parent-group-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.real_group.id: + dashed_name: process-parent-group-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.real_group.name: + dashed_name: process-parent-group-leader-real-group-name + description: Name of the group. + flat_name: process.parent.group_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.real_user.domain: + dashed_name: process-parent-group-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.group_leader.real_user.email: + dashed_name: process-parent-group-leader-real-user-email + description: User email address. + flat_name: process.parent.group_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.group_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.group_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.group_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.group_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.group_leader.real_user.entity.id: + dashed_name: process-parent-group-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.group_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.group_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.group_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.group_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.group_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.group_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.group_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.group_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.group_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.group_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.group_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.group_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.group_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.group_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.group_leader.real_user.full_name: + dashed_name: process-parent-group-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.group_leader.real_user.group.domain: + dashed_name: process-parent-group-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.real_user.group.id: + dashed_name: process-parent-group-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.real_user.group.name: + dashed_name: process-parent-group-leader-real-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.real_user.hash: + dashed_name: process-parent-group-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.group_leader.real_user.id: + dashed_name: process-parent-group-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.group_leader.real_user.name: + dashed_name: process-parent-group-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.group_leader.real_user.risk.calculated_level: + dashed_name: process-parent-group-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.group_leader.real_user.risk.calculated_score: + dashed_name: process-parent-group-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.group_leader.real_user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.group_leader.real_user.risk.static_level: + dashed_name: process-parent-group-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.group_leader.real_user.risk.static_score: + dashed_name: process-parent-group-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.group_leader.real_user.risk.static_score_norm: + dashed_name: process-parent-group-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.group_leader.real_user.roles: + dashed_name: process-parent-group-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.same_as_process: + dashed_name: process-parent-group-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.parent.group_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.parent.group_leader.saved_group.domain: + dashed_name: process-parent-group-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.saved_group.id: + dashed_name: process-parent-group-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.saved_group.name: + dashed_name: process-parent-group-leader-saved-group-name + description: Name of the group. + flat_name: process.parent.group_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.saved_user.domain: + dashed_name: process-parent-group-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.group_leader.saved_user.email: + dashed_name: process-parent-group-leader-saved-user-email + description: User email address. + flat_name: process.parent.group_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.group_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.group_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.group_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.group_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.group_leader.saved_user.entity.id: + dashed_name: process-parent-group-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.group_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.group_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.group_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.group_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.group_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.group_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.group_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.group_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.group_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.group_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.group_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.group_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.group_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.group_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.group_leader.saved_user.full_name: + dashed_name: process-parent-group-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.group_leader.saved_user.group.domain: + dashed_name: process-parent-group-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.saved_user.group.id: + dashed_name: process-parent-group-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.saved_user.group.name: + dashed_name: process-parent-group-leader-saved-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.saved_user.hash: + dashed_name: process-parent-group-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.group_leader.saved_user.id: + dashed_name: process-parent-group-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.group_leader.saved_user.name: + dashed_name: process-parent-group-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.group_leader.saved_user.risk.calculated_level: + dashed_name: process-parent-group-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.group_leader.saved_user.risk.calculated_score: + dashed_name: process-parent-group-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.group_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.group_leader.saved_user.risk.static_level: + dashed_name: process-parent-group-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.group_leader.saved_user.risk.static_score: + dashed_name: process-parent-group-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.group_leader.saved_user.risk.static_score_norm: + dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.group_leader.saved_user.roles: + dashed_name: process-parent-group-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.start: + dashed_name: process-parent-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.parent.group_leader.supplemental_groups.domain: + dashed_name: process-parent-group-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.supplemental_groups.id: + dashed_name: process-parent-group-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.supplemental_groups.name: + dashed_name: process-parent-group-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.parent.group_leader.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.thread.capabilities.effective: + dashed_name: process-parent-group-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.group_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.thread.capabilities.permitted: + dashed_name: process-parent-group-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.group_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.thread.id: + dashed_name: process-parent-group-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.group_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.parent.group_leader.thread.name: + dashed_name: process-parent-group-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.group_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.parent.group_leader.title: + dashed_name: process-parent-group-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.parent.group_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.parent.group_leader.tty: + dashed_name: process-parent-group-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.parent.group_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.parent.group_leader.tty.char_device.major: + dashed_name: process-parent-group-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.parent.group_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.parent.group_leader.tty.char_device.minor: + dashed_name: process-parent-group-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.parent.group_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.parent.group_leader.tty.columns: + dashed_name: process-parent-group-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.parent.group_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.parent.group_leader.tty.rows: + dashed_name: process-parent-group-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.parent.group_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.parent.group_leader.uptime: + dashed_name: process-parent-group-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.group_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.parent.group_leader.user.domain: + dashed_name: process-parent-group-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.group_leader.user.email: + dashed_name: process-parent-group-leader-user-email + description: User email address. + flat_name: process.parent.group_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.group_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.group_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.group_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.group_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.group_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.group_leader.user.entity.id: + dashed_name: process-parent-group-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.group_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.group_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.group_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.group_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.group_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.group_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.group_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.group_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.group_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.group_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.group_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.group_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.group_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.group_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.group_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.group_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.group_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.group_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-group-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.group_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.group_leader.user.full_name: + dashed_name: process-parent-group-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.group_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.group_leader.user.group.domain: + dashed_name: process-parent-group-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.group_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.group_leader.user.group.id: + dashed_name: process-parent-group-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.group_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.group_leader.user.group.name: + dashed_name: process-parent-group-leader-user-group-name + description: Name of the group. + flat_name: process.parent.group_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.group_leader.user.hash: + dashed_name: process-parent-group-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.group_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.group_leader.user.id: + dashed_name: process-parent-group-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.group_leader.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.group_leader.user.name: + dashed_name: process-parent-group-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.group_leader.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.group_leader.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.group_leader.user.risk.calculated_level: + dashed_name: process-parent-group-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.group_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.group_leader.user.risk.calculated_score: + dashed_name: process-parent-group-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.group_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.group_leader.user.risk.calculated_score_norm: + dashed_name: process-parent-group-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.group_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.group_leader.user.risk.static_level: + dashed_name: process-parent-group-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.group_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.group_leader.user.risk.static_score: + dashed_name: process-parent-group-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.group_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.group_leader.user.risk.static_score_norm: + dashed_name: process-parent-group-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.group_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.group_leader.user.roles: + dashed_name: process-parent-group-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.group_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.group_leader.vpid: + dashed_name: process-parent-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.parent.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.parent.group_leader.working_directory: + dashed_name: process-parent-group-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.parent.group_leader.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.group_leader.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.parent.hash.md5: + dashed_name: process-parent-hash-md5 + description: MD5 hash. + flat_name: process.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.parent.hash.sha1: + dashed_name: process-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.parent.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.parent.hash.sha256: + dashed_name: process-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.parent.hash.sha384: + dashed_name: process-parent-hash-sha384 + description: SHA384 hash. + flat_name: process.parent.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.parent.hash.sha512: + dashed_name: process-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.parent.hash.tlsh: + dashed_name: process-parent-hash-tlsh + description: TLSH hash. + flat_name: process.parent.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.parent.interactive: + dashed_name: process-parent-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.parent.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.parent.io: + dashed_name: process-parent-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.parent.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.parent.io.bytes_skipped: + dashed_name: process-parent-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.parent.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.parent.io.bytes_skipped.length: + dashed_name: process-parent-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.parent.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.parent.io.bytes_skipped.offset: + dashed_name: process-parent-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.parent.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.parent.io.max_bytes_per_process_exceeded: + dashed_name: process-parent-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.parent.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.parent.io.text: + dashed_name: process-parent-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.parent.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.parent.io.total_bytes_captured: + dashed_name: process-parent-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.parent.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.parent.io.total_bytes_skipped: + dashed_name: process-parent-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.parent.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.parent.io.type: + dashed_name: process-parent-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.parent.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.parent.macho.go_import_hash: + dashed_name: process-parent-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.parent.macho.go_imports: + dashed_name: process-parent-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.parent.macho.go_imports_names_entropy: + dashed_name: process-parent-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.parent.macho.go_imports_names_var_entropy: + dashed_name: process-parent-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.parent.macho.go_stripped: + dashed_name: process-parent-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.parent.macho.import_hash: + dashed_name: process-parent-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.parent.macho.imports: + dashed_name: process-parent-macho-imports + description: List of imported element names and types. + flat_name: process.parent.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.parent.macho.imports_names_entropy: + dashed_name: process-parent-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.parent.macho.imports_names_var_entropy: + dashed_name: process-parent-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.parent.macho.sections: + dashed_name: process-parent-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.parent.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.parent.macho.sections.entropy: + dashed_name: process-parent-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.parent.macho.sections.name: + dashed_name: process-parent-macho-sections-name + description: Mach-O Section List name. + flat_name: process.parent.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.parent.macho.sections.physical_size: + dashed_name: process-parent-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.parent.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.parent.macho.sections.var_entropy: + dashed_name: process-parent-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.parent.macho.sections.virtual_size: + dashed_name: process-parent-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.parent.macho.symhash: + dashed_name: process-parent-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.parent.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.parent.name: + dashed_name: process-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.parent.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.parent.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.parent.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.parent.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-parent-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.parent.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.parent.pe.architecture: + dashed_name: process-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.parent.pe.company: + dashed_name: process-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.parent.pe.description: + dashed_name: process-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.parent.pe.go_import_hash: + dashed_name: process-parent-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.parent.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.parent.pe.go_imports: + dashed_name: process-parent-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.parent.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.parent.pe.go_imports_names_entropy: + dashed_name: process-parent-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.parent.pe.go_imports_names_var_entropy: + dashed_name: process-parent-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.parent.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.parent.pe.go_stripped: + dashed_name: process-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.parent.pe.import_hash: + dashed_name: process-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of imported element names and types. + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.parent.pe.imports_names_entropy: + dashed_name: process-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.parent.pe.imports_names_var_entropy: + dashed_name: process-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.parent.pe.original_file_name: + dashed_name: process-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.parent.pe.pehash: + dashed_name: process-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.parent.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.parent.pe.product: + dashed_name: process-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: PE Section List name. + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.parent.pe.sections.physical_size: + dashed_name: process-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.parent.pe.sections.var_entropy: + dashed_name: process-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.parent.pe.sections.virtual_size: + dashed_name: process-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.parent.pid: + dashed_name: process-parent-pid + description: Process id. + example: 4242 + flat_name: process.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.parent.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-parent-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.parent.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.parent.real_group.domain: + dashed_name: process-parent-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.real_group.id: + dashed_name: process-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.real_group.name: + dashed_name: process-parent-real-group-name + description: Name of the group. + flat_name: process.parent.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.real_user.domain: + dashed_name: process-parent-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.real_user.email: + dashed_name: process-parent-real-user-email + description: User email address. + flat_name: process.parent.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.real_user.entity.id: + dashed_name: process-parent-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.real_user.full_name: + dashed_name: process-parent-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.real_user.group.domain: + dashed_name: process-parent-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.real_user.group.id: + dashed_name: process-parent-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.real_user.group.name: + dashed_name: process-parent-real-user-group-name + description: Name of the group. + flat_name: process.parent.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.real_user.hash: + dashed_name: process-parent-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.real_user.id: + dashed_name: process-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.real_user.name: + dashed_name: process-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.real_user.risk.calculated_level: + dashed_name: process-parent-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.real_user.risk.calculated_score: + dashed_name: process-parent-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.real_user.risk.calculated_score_norm: + dashed_name: process-parent-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.real_user.risk.static_level: + dashed_name: process-parent-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.real_user.risk.static_score: + dashed_name: process-parent-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.real_user.risk.static_score_norm: + dashed_name: process-parent-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.real_user.roles: + dashed_name: process-parent-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.same_as_process: + dashed_name: process-parent-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.parent.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.parent.saved_group.domain: + dashed_name: process-parent-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.saved_group.id: + dashed_name: process-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.saved_group.name: + dashed_name: process-parent-saved-group-name + description: Name of the group. + flat_name: process.parent.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.saved_user.domain: + dashed_name: process-parent-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.saved_user.email: + dashed_name: process-parent-saved-user-email + description: User email address. + flat_name: process.parent.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.saved_user.entity.id: + dashed_name: process-parent-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.saved_user.full_name: + dashed_name: process-parent-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.saved_user.group.domain: + dashed_name: process-parent-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.saved_user.group.id: + dashed_name: process-parent-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.saved_user.group.name: + dashed_name: process-parent-saved-user-group-name + description: Name of the group. + flat_name: process.parent.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.saved_user.hash: + dashed_name: process-parent-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.saved_user.id: + dashed_name: process-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.saved_user.name: + dashed_name: process-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.saved_user.risk.calculated_level: + dashed_name: process-parent-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.saved_user.risk.calculated_score: + dashed_name: process-parent-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.saved_user.risk.calculated_score_norm: + dashed_name: process-parent-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.saved_user.risk.static_level: + dashed_name: process-parent-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.saved_user.risk.static_score: + dashed_name: process-parent-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.saved_user.risk.static_score_norm: + dashed_name: process-parent-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.saved_user.roles: + dashed_name: process-parent-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.start: + dashed_name: process-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.parent.supplemental_groups.domain: + dashed_name: process-parent-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.supplemental_groups.id: + dashed_name: process-parent-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.supplemental_groups.name: + dashed_name: process-parent-supplemental-groups-name + description: Name of the group. + flat_name: process.parent.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.parent.thread.id: + dashed_name: process-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.parent.thread.name: + dashed_name: process-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.parent.title: + dashed_name: process-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.parent.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.parent.tty: + dashed_name: process-parent-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.parent.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.parent.tty.char_device.major: + dashed_name: process-parent-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.parent.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.parent.tty.char_device.minor: + dashed_name: process-parent-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.parent.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.parent.tty.columns: + dashed_name: process-parent-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.parent.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.parent.tty.rows: + dashed_name: process-parent-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.parent.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.parent.uptime: + dashed_name: process-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.parent.user.domain: + dashed_name: process-parent-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.parent.user.email: + dashed_name: process-parent-user-email + description: User email address. + flat_name: process.parent.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.parent.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.parent.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.parent.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.parent.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.parent.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.parent.user.entity.id: + dashed_name: process-parent-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.parent.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.parent.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.parent.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.parent.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.parent.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.parent.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.parent.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.parent.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.parent.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.parent.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.parent.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.parent.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.parent.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.parent.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.parent.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.parent.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.parent.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.parent.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-parent-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.parent.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.parent.user.full_name: + dashed_name: process-parent-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.parent.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.parent.user.group.domain: + dashed_name: process-parent-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.parent.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.parent.user.group.id: + dashed_name: process-parent-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.user.group.name: + dashed_name: process-parent-user-group-name + description: Name of the group. + flat_name: process.parent.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.parent.user.hash: + dashed_name: process-parent-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.parent.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.parent.user.id: + dashed_name: process-parent-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.user.name: + dashed_name: process-parent-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.parent.user.risk.calculated_level: + dashed_name: process-parent-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.parent.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.parent.user.risk.calculated_score: + dashed_name: process-parent-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.parent.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.parent.user.risk.calculated_score_norm: + dashed_name: process-parent-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.parent.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.parent.user.risk.static_level: + dashed_name: process-parent-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.parent.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.parent.user.risk.static_score: + dashed_name: process-parent-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.parent.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.parent.user.risk.static_score_norm: + dashed_name: process-parent-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.parent.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.parent.user.roles: + dashed_name: process-parent-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.parent.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.parent.vpid: + dashed_name: process-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.parent.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.parent.working_directory: + dashed_name: process-parent-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.parent.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.parent.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.pe.architecture: + dashed_name: process-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.pe.go_import_hash: + dashed_name: process-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.pe.go_imports: + dashed_name: process-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.pe.go_imports_names_entropy: + dashed_name: process-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.pe.go_imports_names_var_entropy: + dashed_name: process-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.pe.go_stripped: + dashed_name: process-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.pe.imphash: + dashed_name: process-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.pe.import_hash: + dashed_name: process-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.pe.imports: + dashed_name: process-pe-imports + description: List of imported element names and types. + flat_name: process.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.pe.imports_names_entropy: + dashed_name: process-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.pe.imports_names_var_entropy: + dashed_name: process-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.pe.pehash: + dashed_name: process-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.pe.sections: + dashed_name: process-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.pe.sections.name: + dashed_name: process-pe-sections-name + description: PE Section List name. + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.pe.sections.physical_size: + dashed_name: process-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.pe.sections.var_entropy: + dashed_name: process-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.pe.sections.virtual_size: + dashed_name: process-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.pid: + dashed_name: process-pid + description: Process id. + example: 4242 + flat_name: process.pid + format: string + level: core + name: pid + normalize: [] + otel: + - relation: match + short: Process id. + type: long + process.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.platform_binary + level: extended + name: platform_binary + normalize: [] + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.previous.args: + dashed_name: process-previous-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.previous.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.previous.args_count: + dashed_name: process-previous-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.previous.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.previous.attested_groups.domain: + dashed_name: process-previous-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.attested_groups.id: + dashed_name: process-previous-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.attested_groups.name: + dashed_name: process-previous-attested-groups-name + description: Name of the group. + flat_name: process.previous.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.attested_user.domain: + dashed_name: process-previous-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.previous.attested_user.email: + dashed_name: process-previous-attested-user-email + description: User email address. + flat_name: process.previous.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.previous.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.previous.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.previous.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.previous.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.previous.attested_user.entity.id: + dashed_name: process-previous-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.previous.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.previous.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.previous.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.previous.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.previous.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.previous.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.previous.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.previous.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.previous.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.previous.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.previous.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.previous.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.previous.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.previous.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.previous.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.previous.attested_user.full_name: + dashed_name: process-previous-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.previous.attested_user.group.domain: + dashed_name: process-previous-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.attested_user.group.id: + dashed_name: process-previous-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.attested_user.group.name: + dashed_name: process-previous-attested-user-group-name + description: Name of the group. + flat_name: process.previous.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.attested_user.hash: + dashed_name: process-previous-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.previous.attested_user.id: + dashed_name: process-previous-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.previous.attested_user.name: + dashed_name: process-previous-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.previous.attested_user.risk.calculated_level: + dashed_name: process-previous-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.previous.attested_user.risk.calculated_score: + dashed_name: process-previous-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.previous.attested_user.risk.calculated_score_norm: + dashed_name: process-previous-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.previous.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.previous.attested_user.risk.static_level: + dashed_name: process-previous-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.previous.attested_user.risk.static_score: + dashed_name: process-previous-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.previous.attested_user.risk.static_score_norm: + dashed_name: process-previous-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.previous.attested_user.roles: + dashed_name: process-previous-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.previous.code_signature.digest_algorithm: + dashed_name: process-previous-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.previous.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.previous.code_signature.exists: + dashed_name: process-previous-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.previous.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.previous.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-previous-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.previous.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.previous.code_signature.signing_id: + dashed_name: process-previous-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.previous.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.previous.code_signature.status: + dashed_name: process-previous-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.previous.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.previous.code_signature.subject_name: + dashed_name: process-previous-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.previous.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.previous.code_signature.team_id: + dashed_name: process-previous-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.previous.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.previous.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-previous-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.previous.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.previous.code_signature.timestamp: + dashed_name: process-previous-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.previous.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.previous.code_signature.trusted: + dashed_name: process-previous-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.previous.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.previous.code_signature.valid: + dashed_name: process-previous-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.previous.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.previous.command_line: + dashed_name: process-previous-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.previous.command_line + level: extended + multi_fields: + - flat_name: process.previous.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.previous.elf.architecture: + dashed_name: process-previous-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.previous.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.previous.elf.byte_order: + dashed_name: process-previous-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.previous.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.previous.elf.cpu_type: + dashed_name: process-previous-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.previous.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.previous.elf.creation_date: + dashed_name: process-previous-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.previous.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.previous.elf.exports: + dashed_name: process-previous-elf-exports + description: List of exported element names and types. + flat_name: process.previous.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.previous.elf.go_import_hash: + dashed_name: process-previous-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.previous.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.previous.elf.go_imports: + dashed_name: process-previous-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.previous.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.previous.elf.go_imports_names_entropy: + dashed_name: process-previous-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.previous.elf.go_imports_names_var_entropy: + dashed_name: process-previous-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.previous.elf.go_stripped: + dashed_name: process-previous-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.previous.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.previous.elf.header.abi_version: + dashed_name: process-previous-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.previous.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.previous.elf.header.class: + dashed_name: process-previous-elf-header-class + description: Header class of the ELF file. + flat_name: process.previous.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.previous.elf.header.data: + dashed_name: process-previous-elf-header-data + description: Data table of the ELF header. + flat_name: process.previous.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.previous.elf.header.entrypoint: + dashed_name: process-previous-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.previous.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.previous.elf.header.object_version: + dashed_name: process-previous-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.previous.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.previous.elf.header.os_abi: + dashed_name: process-previous-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.previous.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.previous.elf.header.type: + dashed_name: process-previous-elf-header-type + description: Header type of the ELF file. + flat_name: process.previous.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.previous.elf.header.version: + dashed_name: process-previous-elf-header-version + description: Version of the ELF header. + flat_name: process.previous.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.previous.elf.import_hash: + dashed_name: process-previous-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.previous.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.previous.elf.imports: + dashed_name: process-previous-elf-imports + description: List of imported element names and types. + flat_name: process.previous.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.previous.elf.imports_names_entropy: + dashed_name: process-previous-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.previous.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.previous.elf.imports_names_var_entropy: + dashed_name: process-previous-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.previous.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.previous.elf.sections: + dashed_name: process-previous-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.previous.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.previous.elf.sections.chi2: + dashed_name: process-previous-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.previous.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.previous.elf.sections.entropy: + dashed_name: process-previous-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.previous.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.previous.elf.sections.flags: + dashed_name: process-previous-elf-sections-flags + description: ELF Section List flags. + flat_name: process.previous.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.previous.elf.sections.name: + dashed_name: process-previous-elf-sections-name + description: ELF Section List name. + flat_name: process.previous.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.previous.elf.sections.physical_offset: + dashed_name: process-previous-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.previous.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.previous.elf.sections.physical_size: + dashed_name: process-previous-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.previous.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.previous.elf.sections.type: + dashed_name: process-previous-elf-sections-type + description: ELF Section List type. + flat_name: process.previous.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.previous.elf.sections.var_entropy: + dashed_name: process-previous-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.previous.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.previous.elf.sections.virtual_address: + dashed_name: process-previous-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.previous.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.previous.elf.sections.virtual_size: + dashed_name: process-previous-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.previous.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.previous.elf.segments: + dashed_name: process-previous-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.previous.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.previous.elf.segments.sections: + dashed_name: process-previous-elf-segments-sections + description: ELF object segment sections. + flat_name: process.previous.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.previous.elf.segments.type: + dashed_name: process-previous-elf-segments-type + description: ELF object segment type. + flat_name: process.previous.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.previous.elf.shared_libraries: + dashed_name: process-previous-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.previous.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.previous.elf.telfhash: + dashed_name: process-previous-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.previous.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.previous.end: + dashed_name: process-previous-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.previous.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.previous.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-previous-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.previous.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.previous.entity_id: + dashed_name: process-previous-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.previous.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.previous.entry_meta.source.address: + dashed_name: process-previous-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.previous.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.previous.entry_meta.source.as.number: + dashed_name: process-previous-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.previous.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.previous.entry_meta.source.as.organization.name: + dashed_name: process-previous-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.previous.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.previous.entry_meta.source.bytes: + dashed_name: process-previous-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.previous.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.previous.entry_meta.source.domain: + dashed_name: process-previous-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.previous.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.previous.entry_meta.source.geo.city_name: + dashed_name: process-previous-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.previous.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.previous.entry_meta.source.geo.continent_code: + dashed_name: process-previous-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.previous.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.previous.entry_meta.source.geo.continent_name: + dashed_name: process-previous-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.previous.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.previous.entry_meta.source.geo.country_iso_code: + dashed_name: process-previous-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.previous.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.previous.entry_meta.source.geo.country_name: + dashed_name: process-previous-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.previous.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.previous.entry_meta.source.geo.location: + dashed_name: process-previous-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.previous.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.previous.entry_meta.source.geo.name: + dashed_name: process-previous-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.previous.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.previous.entry_meta.source.geo.postal_code: + dashed_name: process-previous-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.previous.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.previous.entry_meta.source.geo.region_iso_code: + dashed_name: process-previous-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.previous.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.previous.entry_meta.source.geo.region_name: + dashed_name: process-previous-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.previous.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.previous.entry_meta.source.geo.timezone: + dashed_name: process-previous-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.previous.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.previous.entry_meta.source.ip: + dashed_name: process-previous-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.previous.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.previous.entry_meta.source.mac: + dashed_name: process-previous-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.previous.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.previous.entry_meta.source.nat.ip: + dashed_name: process-previous-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.previous.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.previous.entry_meta.source.nat.port: + dashed_name: process-previous-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.previous.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.previous.entry_meta.source.packets: + dashed_name: process-previous-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.previous.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.previous.entry_meta.source.port: + dashed_name: process-previous-entry-meta-source-port + description: Port of the source. + flat_name: process.previous.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.previous.entry_meta.source.registered_domain: + dashed_name: process-previous-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.previous.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.previous.entry_meta.source.subdomain: + dashed_name: process-previous-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.previous.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.previous.entry_meta.source.top_level_domain: + dashed_name: process-previous-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.previous.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.previous.entry_meta.type: + dashed_name: process-previous-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.previous.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.previous.env_vars: + dashed_name: process-previous-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.previous.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.previous.executable: + dashed_name: process-previous-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.previous.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.previous.exit_code: + dashed_name: process-previous-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.previous.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.previous.group.domain: + dashed_name: process-previous-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.group.id: + dashed_name: process-previous-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.group.name: + dashed_name: process-previous-group-name + description: Name of the group. + flat_name: process.previous.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-previous-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.previous.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.previous.hash.md5: + dashed_name: process-previous-hash-md5 + description: MD5 hash. + flat_name: process.previous.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.previous.hash.sha1: + dashed_name: process-previous-hash-sha1 + description: SHA1 hash. + flat_name: process.previous.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.previous.hash.sha256: + dashed_name: process-previous-hash-sha256 + description: SHA256 hash. + flat_name: process.previous.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.previous.hash.sha384: + dashed_name: process-previous-hash-sha384 + description: SHA384 hash. + flat_name: process.previous.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.previous.hash.sha512: + dashed_name: process-previous-hash-sha512 + description: SHA512 hash. + flat_name: process.previous.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.previous.hash.ssdeep: + dashed_name: process-previous-hash-ssdeep + description: SSDEEP hash. + flat_name: process.previous.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.previous.hash.tlsh: + dashed_name: process-previous-hash-tlsh + description: TLSH hash. + flat_name: process.previous.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.previous.interactive: + dashed_name: process-previous-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.previous.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.previous.io: + dashed_name: process-previous-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.previous.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.previous.io.bytes_skipped: + dashed_name: process-previous-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.previous.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.previous.io.bytes_skipped.length: + dashed_name: process-previous-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.previous.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.previous.io.bytes_skipped.offset: + dashed_name: process-previous-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.previous.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.previous.io.max_bytes_per_process_exceeded: + dashed_name: process-previous-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.previous.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.previous.io.text: + dashed_name: process-previous-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.previous.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.previous.io.total_bytes_captured: + dashed_name: process-previous-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.previous.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.previous.io.total_bytes_skipped: + dashed_name: process-previous-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.previous.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.previous.io.type: + dashed_name: process-previous-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.previous.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.previous.macho.go_import_hash: + dashed_name: process-previous-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.previous.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.previous.macho.go_imports: + dashed_name: process-previous-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.previous.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.previous.macho.go_imports_names_entropy: + dashed_name: process-previous-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.previous.macho.go_imports_names_var_entropy: + dashed_name: process-previous-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.previous.macho.go_stripped: + dashed_name: process-previous-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.previous.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.previous.macho.import_hash: + dashed_name: process-previous-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.previous.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.previous.macho.imports: + dashed_name: process-previous-macho-imports + description: List of imported element names and types. + flat_name: process.previous.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.previous.macho.imports_names_entropy: + dashed_name: process-previous-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.previous.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.previous.macho.imports_names_var_entropy: + dashed_name: process-previous-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.previous.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.previous.macho.sections: + dashed_name: process-previous-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.previous.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.previous.macho.sections.entropy: + dashed_name: process-previous-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.previous.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.previous.macho.sections.name: + dashed_name: process-previous-macho-sections-name + description: Mach-O Section List name. + flat_name: process.previous.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.previous.macho.sections.physical_size: + dashed_name: process-previous-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.previous.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.previous.macho.sections.var_entropy: + dashed_name: process-previous-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.previous.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.previous.macho.sections.virtual_size: + dashed_name: process-previous-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.previous.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.previous.macho.symhash: + dashed_name: process-previous-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.previous.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.previous.name: + dashed_name: process-previous-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.previous.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.previous.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-previous-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.previous.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.previous.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-previous-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.previous.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.previous.pe.architecture: + dashed_name: process-previous-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.previous.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.previous.pe.company: + dashed_name: process-previous-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.previous.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.previous.pe.description: + dashed_name: process-previous-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.previous.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.previous.pe.file_version: + dashed_name: process-previous-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.previous.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.previous.pe.go_import_hash: + dashed_name: process-previous-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.previous.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.previous.pe.go_imports: + dashed_name: process-previous-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.previous.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.previous.pe.go_imports_names_entropy: + dashed_name: process-previous-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.previous.pe.go_imports_names_var_entropy: + dashed_name: process-previous-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.previous.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.previous.pe.go_stripped: + dashed_name: process-previous-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.previous.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.previous.pe.imphash: + dashed_name: process-previous-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.previous.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.previous.pe.import_hash: + dashed_name: process-previous-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.previous.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.previous.pe.imports: + dashed_name: process-previous-pe-imports + description: List of imported element names and types. + flat_name: process.previous.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.previous.pe.imports_names_entropy: + dashed_name: process-previous-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.previous.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.previous.pe.imports_names_var_entropy: + dashed_name: process-previous-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.previous.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.previous.pe.original_file_name: + dashed_name: process-previous-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.previous.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.previous.pe.pehash: + dashed_name: process-previous-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.previous.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.previous.pe.product: + dashed_name: process-previous-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.previous.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.previous.pe.sections: + dashed_name: process-previous-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.previous.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.previous.pe.sections.entropy: + dashed_name: process-previous-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.previous.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.previous.pe.sections.name: + dashed_name: process-previous-pe-sections-name + description: PE Section List name. + flat_name: process.previous.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.previous.pe.sections.physical_size: + dashed_name: process-previous-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.previous.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.previous.pe.sections.var_entropy: + dashed_name: process-previous-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.previous.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.previous.pe.sections.virtual_size: + dashed_name: process-previous-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.previous.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.previous.pid: + dashed_name: process-previous-pid + description: Process id. + example: 4242 + flat_name: process.previous.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.previous.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-previous-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.previous.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.previous.real_group.domain: + dashed_name: process-previous-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.real_group.id: + dashed_name: process-previous-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.real_group.name: + dashed_name: process-previous-real-group-name + description: Name of the group. + flat_name: process.previous.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.real_user.domain: + dashed_name: process-previous-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.previous.real_user.email: + dashed_name: process-previous-real-user-email + description: User email address. + flat_name: process.previous.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.previous.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.previous.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.previous.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.previous.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.previous.real_user.entity.id: + dashed_name: process-previous-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.previous.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.previous.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.previous.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.previous.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.previous.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.previous.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.previous.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.previous.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.previous.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.previous.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.previous.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.previous.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.previous.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.previous.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.previous.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.previous.real_user.full_name: + dashed_name: process-previous-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.previous.real_user.group.domain: + dashed_name: process-previous-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.real_user.group.id: + dashed_name: process-previous-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.real_user.group.name: + dashed_name: process-previous-real-user-group-name + description: Name of the group. + flat_name: process.previous.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.real_user.hash: + dashed_name: process-previous-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.previous.real_user.id: + dashed_name: process-previous-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.previous.real_user.name: + dashed_name: process-previous-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.previous.real_user.risk.calculated_level: + dashed_name: process-previous-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.previous.real_user.risk.calculated_score: + dashed_name: process-previous-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.previous.real_user.risk.calculated_score_norm: + dashed_name: process-previous-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.previous.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.previous.real_user.risk.static_level: + dashed_name: process-previous-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.previous.real_user.risk.static_score: + dashed_name: process-previous-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.previous.real_user.risk.static_score_norm: + dashed_name: process-previous-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.previous.real_user.roles: + dashed_name: process-previous-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.previous.same_as_process: + dashed_name: process-previous-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.previous.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.previous.saved_group.domain: + dashed_name: process-previous-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.saved_group.id: + dashed_name: process-previous-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.saved_group.name: + dashed_name: process-previous-saved-group-name + description: Name of the group. + flat_name: process.previous.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.saved_user.domain: + dashed_name: process-previous-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.previous.saved_user.email: + dashed_name: process-previous-saved-user-email + description: User email address. + flat_name: process.previous.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.previous.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.previous.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.previous.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.previous.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.previous.saved_user.entity.id: + dashed_name: process-previous-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.previous.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.previous.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.previous.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.previous.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.previous.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.previous.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.previous.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.previous.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.previous.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.previous.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.previous.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.previous.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.previous.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.previous.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.previous.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.previous.saved_user.full_name: + dashed_name: process-previous-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.previous.saved_user.group.domain: + dashed_name: process-previous-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.saved_user.group.id: + dashed_name: process-previous-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.saved_user.group.name: + dashed_name: process-previous-saved-user-group-name + description: Name of the group. + flat_name: process.previous.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.saved_user.hash: + dashed_name: process-previous-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.previous.saved_user.id: + dashed_name: process-previous-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.previous.saved_user.name: + dashed_name: process-previous-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.previous.saved_user.risk.calculated_level: + dashed_name: process-previous-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.previous.saved_user.risk.calculated_score: + dashed_name: process-previous-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.previous.saved_user.risk.calculated_score_norm: + dashed_name: process-previous-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.previous.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.previous.saved_user.risk.static_level: + dashed_name: process-previous-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.previous.saved_user.risk.static_score: + dashed_name: process-previous-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.previous.saved_user.risk.static_score_norm: + dashed_name: process-previous-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.previous.saved_user.roles: + dashed_name: process-previous-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.previous.start: + dashed_name: process-previous-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.previous.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.previous.supplemental_groups.domain: + dashed_name: process-previous-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.supplemental_groups.id: + dashed_name: process-previous-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.supplemental_groups.name: + dashed_name: process-previous-supplemental-groups-name + description: Name of the group. + flat_name: process.previous.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.thread.capabilities.effective: + dashed_name: process-previous-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.previous.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.previous.thread.capabilities.permitted: + dashed_name: process-previous-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.previous.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.previous.thread.id: + dashed_name: process-previous-thread-id + description: Thread ID. + example: 4242 + flat_name: process.previous.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.previous.thread.name: + dashed_name: process-previous-thread-name + description: Thread name. + example: thread-0 + flat_name: process.previous.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.previous.title: + dashed_name: process-previous-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.previous.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.previous.tty: + dashed_name: process-previous-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.previous.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.previous.tty.char_device.major: + dashed_name: process-previous-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.previous.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.previous.tty.char_device.minor: + dashed_name: process-previous-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.previous.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.previous.tty.columns: + dashed_name: process-previous-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.previous.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.previous.tty.rows: + dashed_name: process-previous-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.previous.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.previous.uptime: + dashed_name: process-previous-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.previous.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.previous.user.domain: + dashed_name: process-previous-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.previous.user.email: + dashed_name: process-previous-user-email + description: User email address. + flat_name: process.previous.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.previous.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.previous.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.previous.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.previous.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.previous.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.previous.user.entity.id: + dashed_name: process-previous-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.previous.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.previous.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.previous.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.previous.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.previous.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.previous.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.previous.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.previous.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.previous.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.previous.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.previous.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.previous.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.previous.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.previous.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.previous.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.previous.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.previous.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.previous.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-previous-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.previous.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.previous.user.full_name: + dashed_name: process-previous-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.previous.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.previous.user.group.domain: + dashed_name: process-previous-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.previous.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.previous.user.group.id: + dashed_name: process-previous-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.previous.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.previous.user.group.name: + dashed_name: process-previous-user-group-name + description: Name of the group. + flat_name: process.previous.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.previous.user.hash: + dashed_name: process-previous-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.previous.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.previous.user.id: + dashed_name: process-previous-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.previous.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.previous.user.name: + dashed_name: process-previous-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.previous.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.previous.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.previous.user.risk.calculated_level: + dashed_name: process-previous-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.previous.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.previous.user.risk.calculated_score: + dashed_name: process-previous-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.previous.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.previous.user.risk.calculated_score_norm: + dashed_name: process-previous-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.previous.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.previous.user.risk.static_level: + dashed_name: process-previous-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.previous.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.previous.user.risk.static_score: + dashed_name: process-previous-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.previous.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.previous.user.risk.static_score_norm: + dashed_name: process-previous-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.previous.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.previous.user.roles: + dashed_name: process-previous-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.previous.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.previous.vpid: + dashed_name: process-previous-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.previous.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.previous.working_directory: + dashed_name: process-previous-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.previous.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.real_group.domain: + dashed_name: process-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.real_group.id: + dashed_name: process-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.real_group.name: + dashed_name: process-real-group-name + description: Name of the group. + flat_name: process.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.real_user.domain: + dashed_name: process-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.real_user.email: + dashed_name: process-real-user-email + description: User email address. + flat_name: process.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.real_user.entity.id: + dashed_name: process-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.real_user.full_name: + dashed_name: process-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.real_user.group.domain: + dashed_name: process-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.real_user.group.id: + dashed_name: process-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.real_user.group.name: + dashed_name: process-real-user-group-name + description: Name of the group. + flat_name: process.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.real_user.hash: + dashed_name: process-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.real_user.id: + dashed_name: process-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Unique identifier of the user. + type: keyword + process.real_user.name: + dashed_name: process-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Short name or login of the user. + type: keyword + process.real_user.risk.calculated_level: + dashed_name: process-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.real_user.risk.calculated_score: + dashed_name: process-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.real_user.risk.calculated_score_norm: + dashed_name: process-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.real_user.risk.static_level: + dashed_name: process-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.real_user.risk.static_score: + dashed_name: process-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.real_user.risk.static_score_norm: + dashed_name: process-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.real_user.roles: + dashed_name: process-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.responsible.args: + dashed_name: process-responsible-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.responsible.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.responsible.args_count: + dashed_name: process-responsible-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.responsible.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.responsible.attested_groups.domain: + dashed_name: process-responsible-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.attested_groups.id: + dashed_name: process-responsible-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.attested_groups.name: + dashed_name: process-responsible-attested-groups-name + description: Name of the group. + flat_name: process.responsible.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.attested_user.domain: + dashed_name: process-responsible-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.responsible.attested_user.email: + dashed_name: process-responsible-attested-user-email + description: User email address. + flat_name: process.responsible.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.responsible.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.responsible.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.responsible.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.responsible.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.responsible.attested_user.entity.id: + dashed_name: process-responsible-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.responsible.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.responsible.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.responsible.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.responsible.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.responsible.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.responsible.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.responsible.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.responsible.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.responsible.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.responsible.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.responsible.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.responsible.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.responsible.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.responsible.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.responsible.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.responsible.attested_user.full_name: + dashed_name: process-responsible-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.responsible.attested_user.group.domain: + dashed_name: process-responsible-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.attested_user.group.id: + dashed_name: process-responsible-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.attested_user.group.name: + dashed_name: process-responsible-attested-user-group-name + description: Name of the group. + flat_name: process.responsible.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.attested_user.hash: + dashed_name: process-responsible-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.responsible.attested_user.id: + dashed_name: process-responsible-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.responsible.attested_user.name: + dashed_name: process-responsible-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.responsible.attested_user.risk.calculated_level: + dashed_name: process-responsible-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.responsible.attested_user.risk.calculated_score: + dashed_name: process-responsible-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.responsible.attested_user.risk.calculated_score_norm: + dashed_name: process-responsible-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.responsible.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.responsible.attested_user.risk.static_level: + dashed_name: process-responsible-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.responsible.attested_user.risk.static_score: + dashed_name: process-responsible-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.responsible.attested_user.risk.static_score_norm: + dashed_name: process-responsible-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.responsible.attested_user.roles: + dashed_name: process-responsible-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.responsible.code_signature.digest_algorithm: + dashed_name: process-responsible-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.responsible.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.responsible.code_signature.exists: + dashed_name: process-responsible-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.responsible.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.responsible.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-responsible-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.responsible.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.responsible.code_signature.signing_id: + dashed_name: process-responsible-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.responsible.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.responsible.code_signature.status: + dashed_name: process-responsible-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.responsible.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.responsible.code_signature.subject_name: + dashed_name: process-responsible-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.responsible.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.responsible.code_signature.team_id: + dashed_name: process-responsible-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.responsible.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.responsible.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-responsible-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.responsible.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.responsible.code_signature.timestamp: + dashed_name: process-responsible-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.responsible.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.responsible.code_signature.trusted: + dashed_name: process-responsible-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.responsible.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.responsible.code_signature.valid: + dashed_name: process-responsible-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.responsible.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.responsible.command_line: + dashed_name: process-responsible-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.responsible.command_line + level: extended + multi_fields: + - flat_name: process.responsible.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.responsible.elf.architecture: + dashed_name: process-responsible-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.responsible.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.responsible.elf.byte_order: + dashed_name: process-responsible-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.responsible.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.responsible.elf.cpu_type: + dashed_name: process-responsible-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.responsible.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.responsible.elf.creation_date: + dashed_name: process-responsible-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.responsible.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.responsible.elf.exports: + dashed_name: process-responsible-elf-exports + description: List of exported element names and types. + flat_name: process.responsible.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.responsible.elf.go_import_hash: + dashed_name: process-responsible-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.responsible.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.responsible.elf.go_imports: + dashed_name: process-responsible-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.responsible.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.responsible.elf.go_imports_names_entropy: + dashed_name: process-responsible-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.responsible.elf.go_imports_names_var_entropy: + dashed_name: process-responsible-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.responsible.elf.go_stripped: + dashed_name: process-responsible-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.responsible.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.responsible.elf.header.abi_version: + dashed_name: process-responsible-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.responsible.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.responsible.elf.header.class: + dashed_name: process-responsible-elf-header-class + description: Header class of the ELF file. + flat_name: process.responsible.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.responsible.elf.header.data: + dashed_name: process-responsible-elf-header-data + description: Data table of the ELF header. + flat_name: process.responsible.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.responsible.elf.header.entrypoint: + dashed_name: process-responsible-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.responsible.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.responsible.elf.header.object_version: + dashed_name: process-responsible-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.responsible.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.responsible.elf.header.os_abi: + dashed_name: process-responsible-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.responsible.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.responsible.elf.header.type: + dashed_name: process-responsible-elf-header-type + description: Header type of the ELF file. + flat_name: process.responsible.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.responsible.elf.header.version: + dashed_name: process-responsible-elf-header-version + description: Version of the ELF header. + flat_name: process.responsible.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.responsible.elf.import_hash: + dashed_name: process-responsible-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.responsible.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.responsible.elf.imports: + dashed_name: process-responsible-elf-imports + description: List of imported element names and types. + flat_name: process.responsible.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.responsible.elf.imports_names_entropy: + dashed_name: process-responsible-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.responsible.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.responsible.elf.imports_names_var_entropy: + dashed_name: process-responsible-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.responsible.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.responsible.elf.sections: + dashed_name: process-responsible-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.responsible.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.responsible.elf.sections.chi2: + dashed_name: process-responsible-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.responsible.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.responsible.elf.sections.entropy: + dashed_name: process-responsible-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.responsible.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.responsible.elf.sections.flags: + dashed_name: process-responsible-elf-sections-flags + description: ELF Section List flags. + flat_name: process.responsible.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.responsible.elf.sections.name: + dashed_name: process-responsible-elf-sections-name + description: ELF Section List name. + flat_name: process.responsible.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.responsible.elf.sections.physical_offset: + dashed_name: process-responsible-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.responsible.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.responsible.elf.sections.physical_size: + dashed_name: process-responsible-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.responsible.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.responsible.elf.sections.type: + dashed_name: process-responsible-elf-sections-type + description: ELF Section List type. + flat_name: process.responsible.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.responsible.elf.sections.var_entropy: + dashed_name: process-responsible-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.responsible.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.responsible.elf.sections.virtual_address: + dashed_name: process-responsible-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.responsible.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.responsible.elf.sections.virtual_size: + dashed_name: process-responsible-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.responsible.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.responsible.elf.segments: + dashed_name: process-responsible-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.responsible.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.responsible.elf.segments.sections: + dashed_name: process-responsible-elf-segments-sections + description: ELF object segment sections. + flat_name: process.responsible.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.responsible.elf.segments.type: + dashed_name: process-responsible-elf-segments-type + description: ELF object segment type. + flat_name: process.responsible.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.responsible.elf.shared_libraries: + dashed_name: process-responsible-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.responsible.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.responsible.elf.telfhash: + dashed_name: process-responsible-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.responsible.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.responsible.end: + dashed_name: process-responsible-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.responsible.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.responsible.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-responsible-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.responsible.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.responsible.entity_id: + dashed_name: process-responsible-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.responsible.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.responsible.entry_meta.source.address: + dashed_name: process-responsible-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.responsible.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.responsible.entry_meta.source.as.number: + dashed_name: process-responsible-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.responsible.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.responsible.entry_meta.source.as.organization.name: + dashed_name: process-responsible-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.responsible.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.responsible.entry_meta.source.bytes: + dashed_name: process-responsible-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.responsible.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.responsible.entry_meta.source.domain: + dashed_name: process-responsible-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.responsible.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.responsible.entry_meta.source.geo.city_name: + dashed_name: process-responsible-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.responsible.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.responsible.entry_meta.source.geo.continent_code: + dashed_name: process-responsible-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.responsible.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.responsible.entry_meta.source.geo.continent_name: + dashed_name: process-responsible-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.responsible.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.responsible.entry_meta.source.geo.country_iso_code: + dashed_name: process-responsible-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.responsible.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.responsible.entry_meta.source.geo.country_name: + dashed_name: process-responsible-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.responsible.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.responsible.entry_meta.source.geo.location: + dashed_name: process-responsible-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.responsible.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.responsible.entry_meta.source.geo.name: + dashed_name: process-responsible-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.responsible.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.responsible.entry_meta.source.geo.postal_code: + dashed_name: process-responsible-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.responsible.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.responsible.entry_meta.source.geo.region_iso_code: + dashed_name: process-responsible-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.responsible.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.responsible.entry_meta.source.geo.region_name: + dashed_name: process-responsible-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.responsible.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.responsible.entry_meta.source.geo.timezone: + dashed_name: process-responsible-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.responsible.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.responsible.entry_meta.source.ip: + dashed_name: process-responsible-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.responsible.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.responsible.entry_meta.source.mac: + dashed_name: process-responsible-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.responsible.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.responsible.entry_meta.source.nat.ip: + dashed_name: process-responsible-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.responsible.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.responsible.entry_meta.source.nat.port: + dashed_name: process-responsible-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.responsible.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.responsible.entry_meta.source.packets: + dashed_name: process-responsible-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.responsible.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.responsible.entry_meta.source.port: + dashed_name: process-responsible-entry-meta-source-port + description: Port of the source. + flat_name: process.responsible.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.responsible.entry_meta.source.registered_domain: + dashed_name: process-responsible-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.responsible.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.responsible.entry_meta.source.subdomain: + dashed_name: process-responsible-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.responsible.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.responsible.entry_meta.source.top_level_domain: + dashed_name: process-responsible-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.responsible.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.responsible.entry_meta.type: + dashed_name: process-responsible-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.responsible.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.responsible.env_vars: + dashed_name: process-responsible-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.responsible.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.responsible.executable: + dashed_name: process-responsible-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.responsible.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.responsible.exit_code: + dashed_name: process-responsible-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.responsible.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.responsible.group.domain: + dashed_name: process-responsible-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.group.id: + dashed_name: process-responsible-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.group.name: + dashed_name: process-responsible-group-name + description: Name of the group. + flat_name: process.responsible.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-responsible-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.responsible.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.responsible.hash.md5: + dashed_name: process-responsible-hash-md5 + description: MD5 hash. + flat_name: process.responsible.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.responsible.hash.sha1: + dashed_name: process-responsible-hash-sha1 + description: SHA1 hash. + flat_name: process.responsible.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.responsible.hash.sha256: + dashed_name: process-responsible-hash-sha256 + description: SHA256 hash. + flat_name: process.responsible.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.responsible.hash.sha384: + dashed_name: process-responsible-hash-sha384 + description: SHA384 hash. + flat_name: process.responsible.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.responsible.hash.sha512: + dashed_name: process-responsible-hash-sha512 + description: SHA512 hash. + flat_name: process.responsible.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.responsible.hash.ssdeep: + dashed_name: process-responsible-hash-ssdeep + description: SSDEEP hash. + flat_name: process.responsible.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.responsible.hash.tlsh: + dashed_name: process-responsible-hash-tlsh + description: TLSH hash. + flat_name: process.responsible.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.responsible.interactive: + dashed_name: process-responsible-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.responsible.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.responsible.io: + dashed_name: process-responsible-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.responsible.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.responsible.io.bytes_skipped: + dashed_name: process-responsible-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.responsible.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.responsible.io.bytes_skipped.length: + dashed_name: process-responsible-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.responsible.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.responsible.io.bytes_skipped.offset: + dashed_name: process-responsible-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.responsible.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.responsible.io.max_bytes_per_process_exceeded: + dashed_name: process-responsible-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.responsible.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.responsible.io.text: + dashed_name: process-responsible-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.responsible.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.responsible.io.total_bytes_captured: + dashed_name: process-responsible-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.responsible.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.responsible.io.total_bytes_skipped: + dashed_name: process-responsible-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.responsible.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.responsible.io.type: + dashed_name: process-responsible-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.responsible.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.responsible.macho.go_import_hash: + dashed_name: process-responsible-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.responsible.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.responsible.macho.go_imports: + dashed_name: process-responsible-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.responsible.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.responsible.macho.go_imports_names_entropy: + dashed_name: process-responsible-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.responsible.macho.go_imports_names_var_entropy: + dashed_name: process-responsible-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.responsible.macho.go_stripped: + dashed_name: process-responsible-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.responsible.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.responsible.macho.import_hash: + dashed_name: process-responsible-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.responsible.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.responsible.macho.imports: + dashed_name: process-responsible-macho-imports + description: List of imported element names and types. + flat_name: process.responsible.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.responsible.macho.imports_names_entropy: + dashed_name: process-responsible-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.responsible.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.responsible.macho.imports_names_var_entropy: + dashed_name: process-responsible-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.responsible.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.responsible.macho.sections: + dashed_name: process-responsible-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.responsible.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.responsible.macho.sections.entropy: + dashed_name: process-responsible-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.responsible.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.responsible.macho.sections.name: + dashed_name: process-responsible-macho-sections-name + description: Mach-O Section List name. + flat_name: process.responsible.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.responsible.macho.sections.physical_size: + dashed_name: process-responsible-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.responsible.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.responsible.macho.sections.var_entropy: + dashed_name: process-responsible-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.responsible.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.responsible.macho.sections.virtual_size: + dashed_name: process-responsible-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.responsible.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.responsible.macho.symhash: + dashed_name: process-responsible-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.responsible.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.responsible.name: + dashed_name: process-responsible-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.responsible.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.responsible.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-responsible-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.responsible.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.responsible.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-responsible-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.responsible.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.responsible.pe.architecture: + dashed_name: process-responsible-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.responsible.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.responsible.pe.company: + dashed_name: process-responsible-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.responsible.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.responsible.pe.description: + dashed_name: process-responsible-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.responsible.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.responsible.pe.file_version: + dashed_name: process-responsible-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.responsible.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.responsible.pe.go_import_hash: + dashed_name: process-responsible-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.responsible.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.responsible.pe.go_imports: + dashed_name: process-responsible-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.responsible.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.responsible.pe.go_imports_names_entropy: + dashed_name: process-responsible-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.responsible.pe.go_imports_names_var_entropy: + dashed_name: process-responsible-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.responsible.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.responsible.pe.go_stripped: + dashed_name: process-responsible-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.responsible.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.responsible.pe.imphash: + dashed_name: process-responsible-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.responsible.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.responsible.pe.import_hash: + dashed_name: process-responsible-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.responsible.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.responsible.pe.imports: + dashed_name: process-responsible-pe-imports + description: List of imported element names and types. + flat_name: process.responsible.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.responsible.pe.imports_names_entropy: + dashed_name: process-responsible-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.responsible.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.responsible.pe.imports_names_var_entropy: + dashed_name: process-responsible-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.responsible.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.responsible.pe.original_file_name: + dashed_name: process-responsible-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.responsible.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.responsible.pe.pehash: + dashed_name: process-responsible-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.responsible.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.responsible.pe.product: + dashed_name: process-responsible-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.responsible.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.responsible.pe.sections: + dashed_name: process-responsible-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.responsible.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.responsible.pe.sections.entropy: + dashed_name: process-responsible-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.responsible.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.responsible.pe.sections.name: + dashed_name: process-responsible-pe-sections-name + description: PE Section List name. + flat_name: process.responsible.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.responsible.pe.sections.physical_size: + dashed_name: process-responsible-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.responsible.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.responsible.pe.sections.var_entropy: + dashed_name: process-responsible-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.responsible.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.responsible.pe.sections.virtual_size: + dashed_name: process-responsible-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.responsible.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.responsible.pid: + dashed_name: process-responsible-pid + description: Process id. + example: 4242 + flat_name: process.responsible.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.responsible.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-responsible-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.responsible.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.responsible.real_group.domain: + dashed_name: process-responsible-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.real_group.id: + dashed_name: process-responsible-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.real_group.name: + dashed_name: process-responsible-real-group-name + description: Name of the group. + flat_name: process.responsible.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.real_user.domain: + dashed_name: process-responsible-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.responsible.real_user.email: + dashed_name: process-responsible-real-user-email + description: User email address. + flat_name: process.responsible.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.responsible.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.responsible.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.responsible.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.responsible.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.responsible.real_user.entity.id: + dashed_name: process-responsible-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.responsible.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.responsible.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.responsible.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.responsible.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.responsible.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.responsible.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.responsible.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.responsible.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.responsible.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.responsible.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.responsible.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.responsible.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.responsible.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.responsible.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.responsible.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.responsible.real_user.full_name: + dashed_name: process-responsible-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.responsible.real_user.group.domain: + dashed_name: process-responsible-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.real_user.group.id: + dashed_name: process-responsible-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.real_user.group.name: + dashed_name: process-responsible-real-user-group-name + description: Name of the group. + flat_name: process.responsible.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.real_user.hash: + dashed_name: process-responsible-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.responsible.real_user.id: + dashed_name: process-responsible-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.responsible.real_user.name: + dashed_name: process-responsible-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.responsible.real_user.risk.calculated_level: + dashed_name: process-responsible-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.responsible.real_user.risk.calculated_score: + dashed_name: process-responsible-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.responsible.real_user.risk.calculated_score_norm: + dashed_name: process-responsible-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.responsible.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.responsible.real_user.risk.static_level: + dashed_name: process-responsible-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.responsible.real_user.risk.static_score: + dashed_name: process-responsible-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.responsible.real_user.risk.static_score_norm: + dashed_name: process-responsible-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.responsible.real_user.roles: + dashed_name: process-responsible-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.responsible.same_as_process: + dashed_name: process-responsible-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.responsible.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.responsible.saved_group.domain: + dashed_name: process-responsible-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.saved_group.id: + dashed_name: process-responsible-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.saved_group.name: + dashed_name: process-responsible-saved-group-name + description: Name of the group. + flat_name: process.responsible.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.saved_user.domain: + dashed_name: process-responsible-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.responsible.saved_user.email: + dashed_name: process-responsible-saved-user-email + description: User email address. + flat_name: process.responsible.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.responsible.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.responsible.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.responsible.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.responsible.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.responsible.saved_user.entity.id: + dashed_name: process-responsible-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.responsible.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.responsible.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.responsible.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.responsible.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.responsible.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.responsible.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.responsible.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.responsible.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.responsible.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.responsible.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.responsible.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.responsible.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.responsible.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.responsible.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.responsible.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.responsible.saved_user.full_name: + dashed_name: process-responsible-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.responsible.saved_user.group.domain: + dashed_name: process-responsible-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.saved_user.group.id: + dashed_name: process-responsible-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.saved_user.group.name: + dashed_name: process-responsible-saved-user-group-name + description: Name of the group. + flat_name: process.responsible.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.saved_user.hash: + dashed_name: process-responsible-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.responsible.saved_user.id: + dashed_name: process-responsible-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.responsible.saved_user.name: + dashed_name: process-responsible-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.responsible.saved_user.risk.calculated_level: + dashed_name: process-responsible-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.responsible.saved_user.risk.calculated_score: + dashed_name: process-responsible-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.responsible.saved_user.risk.calculated_score_norm: + dashed_name: process-responsible-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.responsible.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.responsible.saved_user.risk.static_level: + dashed_name: process-responsible-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.responsible.saved_user.risk.static_score: + dashed_name: process-responsible-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.responsible.saved_user.risk.static_score_norm: + dashed_name: process-responsible-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.responsible.saved_user.roles: + dashed_name: process-responsible-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.responsible.start: + dashed_name: process-responsible-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.responsible.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.responsible.supplemental_groups.domain: + dashed_name: process-responsible-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.supplemental_groups.id: + dashed_name: process-responsible-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.supplemental_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.supplemental_groups.name: + dashed_name: process-responsible-supplemental-groups-name + description: Name of the group. + flat_name: process.responsible.supplemental_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.thread.capabilities.effective: + dashed_name: process-responsible-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.responsible.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.responsible.thread.capabilities.permitted: + dashed_name: process-responsible-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.responsible.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.responsible.thread.id: + dashed_name: process-responsible-thread-id + description: Thread ID. + example: 4242 + flat_name: process.responsible.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.responsible.thread.name: + dashed_name: process-responsible-thread-name + description: Thread name. + example: thread-0 + flat_name: process.responsible.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.responsible.title: + dashed_name: process-responsible-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.responsible.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword + process.responsible.tty: + dashed_name: process-responsible-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.responsible.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.responsible.tty.char_device.major: + dashed_name: process-responsible-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.responsible.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.responsible.tty.char_device.minor: + dashed_name: process-responsible-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.responsible.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.responsible.tty.columns: + dashed_name: process-responsible-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.responsible.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.responsible.tty.rows: + dashed_name: process-responsible-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.responsible.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.responsible.uptime: + dashed_name: process-responsible-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.responsible.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.responsible.user.domain: + dashed_name: process-responsible-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.responsible.user.email: + dashed_name: process-responsible-user-email + description: User email address. + flat_name: process.responsible.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.responsible.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.responsible.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.responsible.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.responsible.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.responsible.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.responsible.user.entity.id: + dashed_name: process-responsible-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.responsible.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.responsible.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.responsible.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.responsible.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.responsible.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.responsible.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.responsible.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.responsible.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.responsible.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.responsible.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.responsible.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.responsible.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.responsible.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.responsible.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.responsible.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.responsible.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.responsible.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.responsible.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-responsible-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.responsible.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.responsible.user.full_name: + dashed_name: process-responsible-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.responsible.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.responsible.user.group.domain: + dashed_name: process-responsible-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.responsible.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.responsible.user.group.id: + dashed_name: process-responsible-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.responsible.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.responsible.user.group.name: + dashed_name: process-responsible-user-group-name + description: Name of the group. + flat_name: process.responsible.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.responsible.user.hash: + dashed_name: process-responsible-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.responsible.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.responsible.user.id: + dashed_name: process-responsible-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.responsible.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.responsible.user.name: + dashed_name: process-responsible-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.responsible.user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.responsible.user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.responsible.user.risk.calculated_level: + dashed_name: process-responsible-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.responsible.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.responsible.user.risk.calculated_score: + dashed_name: process-responsible-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.responsible.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.responsible.user.risk.calculated_score_norm: + dashed_name: process-responsible-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.responsible.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.responsible.user.risk.static_level: + dashed_name: process-responsible-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.responsible.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.responsible.user.risk.static_score: + dashed_name: process-responsible-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.responsible.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.responsible.user.risk.static_score_norm: + dashed_name: process-responsible-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.responsible.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.responsible.user.roles: + dashed_name: process-responsible-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.responsible.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.responsible.vpid: + dashed_name: process-responsible-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.responsible.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.responsible.working_directory: + dashed_name: process-responsible-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.responsible.working_directory + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.responsible.working_directory.text + name: text + type: match_only_text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: keyword + process.same_as_process: + dashed_name: process-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.same_as_process + level: extended + name: same_as_process + normalize: [] + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.saved_group.domain: + dashed_name: process-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.saved_group.id: + dashed_name: process-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.saved_group.name: + dashed_name: process-saved-group-name + description: Name of the group. + flat_name: process.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.saved_user.domain: + dashed_name: process-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.saved_user.email: + dashed_name: process-saved-user-email + description: User email address. + flat_name: process.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.saved_user.entity.id: + dashed_name: process-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.saved_user.full_name: + dashed_name: process-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.saved_user.group.domain: + dashed_name: process-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.saved_user.group.id: + dashed_name: process-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.saved_user.group.name: + dashed_name: process-saved-user-group-name + description: Name of the group. + flat_name: process.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.saved_user.hash: + dashed_name: process-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.saved_user.id: + dashed_name: process-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Unique identifier of the user. + type: keyword + process.saved_user.name: + dashed_name: process-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + otel: + - relation: match + short: Short name or login of the user. + type: keyword + process.saved_user.risk.calculated_level: + dashed_name: process-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.saved_user.risk.calculated_score: + dashed_name: process-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.saved_user.risk.calculated_score_norm: + dashed_name: process-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.saved_user.risk.static_level: + dashed_name: process-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.saved_user.risk.static_score: + dashed_name: process-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.saved_user.risk.static_score_norm: + dashed_name: process-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.saved_user.roles: + dashed_name: process-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.args: + dashed_name: process-session-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.session_leader.args_count: + dashed_name: process-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.session_leader.attested_groups.domain: + dashed_name: process-session-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.attested_groups.id: + dashed_name: process-session-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.attested_groups.name: + dashed_name: process-session-leader-attested-groups-name + description: Name of the group. + flat_name: process.session_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.attested_user.domain: + dashed_name: process-session-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.attested_user.email: + dashed_name: process-session-leader-attested-user-email + description: User email address. + flat_name: process.session_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.attested_user.entity.id: + dashed_name: process-session-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.attested_user.full_name: + dashed_name: process-session-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.attested_user.group.domain: + dashed_name: process-session-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.attested_user.group.id: + dashed_name: process-session-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.attested_user.group.name: + dashed_name: process-session-leader-attested-user-group-name + description: Name of the group. + flat_name: process.session_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.attested_user.hash: + dashed_name: process-session-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.attested_user.id: + dashed_name: process-session-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.attested_user.name: + dashed_name: process-session-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.attested_user.risk.calculated_level: + dashed_name: process-session-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.attested_user.risk.calculated_score: + dashed_name: process-session-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-session-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.attested_user.risk.static_level: + dashed_name: process-session-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.attested_user.risk.static_score: + dashed_name: process-session-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.attested_user.risk.static_score_norm: + dashed_name: process-session-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.attested_user.roles: + dashed_name: process-session-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.code_signature.digest_algorithm: + dashed_name: process-session-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.session_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.session_leader.code_signature.exists: + dashed_name: process-session-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.session_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.session_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.session_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.session_leader.code_signature.signing_id: + dashed_name: process-session-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.session_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.session_leader.code_signature.status: + dashed_name: process-session-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.session_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.session_leader.code_signature.subject_name: + dashed_name: process-session-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.session_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.session_leader.code_signature.team_id: + dashed_name: process-session-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.session_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.session_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.session_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.session_leader.code_signature.timestamp: + dashed_name: process-session-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.session_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.session_leader.code_signature.trusted: + dashed_name: process-session-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.session_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.session_leader.code_signature.valid: + dashed_name: process-session-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.session_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.session_leader.command_line: + dashed_name: process-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.session_leader.elf.architecture: + dashed_name: process-session-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.session_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.session_leader.elf.byte_order: + dashed_name: process-session-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.session_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.session_leader.elf.cpu_type: + dashed_name: process-session-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.session_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.session_leader.elf.creation_date: + dashed_name: process-session-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.session_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.session_leader.elf.exports: + dashed_name: process-session-leader-elf-exports + description: List of exported element names and types. + flat_name: process.session_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.session_leader.elf.go_import_hash: + dashed_name: process-session-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.session_leader.elf.go_imports: + dashed_name: process-session-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.session_leader.elf.go_imports_names_entropy: + dashed_name: process-session-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.elf.go_imports_names_var_entropy: + dashed_name: process-session-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.elf.go_stripped: + dashed_name: process-session-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.elf.header.abi_version: + dashed_name: process-session-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.session_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.session_leader.elf.header.class: + dashed_name: process-session-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.session_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.session_leader.elf.header.data: + dashed_name: process-session-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.session_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.session_leader.elf.header.entrypoint: + dashed_name: process-session-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.session_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.session_leader.elf.header.object_version: + dashed_name: process-session-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.session_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.session_leader.elf.header.os_abi: + dashed_name: process-session-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.session_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.session_leader.elf.header.type: + dashed_name: process-session-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.session_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.session_leader.elf.header.version: + dashed_name: process-session-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.session_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.session_leader.elf.import_hash: + dashed_name: process-session-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.session_leader.elf.imports: + dashed_name: process-session-leader-elf-imports + description: List of imported element names and types. + flat_name: process.session_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.session_leader.elf.imports_names_entropy: + dashed_name: process-session-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.elf.imports_names_var_entropy: + dashed_name: process-session-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.elf.sections: + dashed_name: process-session-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.session_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.session_leader.elf.sections.chi2: + dashed_name: process-session-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.session_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.session_leader.elf.sections.entropy: + dashed_name: process-session-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.session_leader.elf.sections.flags: + dashed_name: process-session-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.session_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.session_leader.elf.sections.name: + dashed_name: process-session-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.session_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.session_leader.elf.sections.physical_offset: + dashed_name: process-session-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.session_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.session_leader.elf.sections.physical_size: + dashed_name: process-session-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.session_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.session_leader.elf.sections.type: + dashed_name: process-session-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.session_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.session_leader.elf.sections.var_entropy: + dashed_name: process-session-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.elf.sections.virtual_address: + dashed_name: process-session-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.session_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.session_leader.elf.sections.virtual_size: + dashed_name: process-session-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.session_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.session_leader.elf.segments: + dashed_name: process-session-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.session_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.session_leader.elf.segments.sections: + dashed_name: process-session-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.session_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.session_leader.elf.segments.type: + dashed_name: process-session-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.session_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.session_leader.elf.shared_libraries: + dashed_name: process-session-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.session_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.session_leader.elf.telfhash: + dashed_name: process-session-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.session_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.session_leader.end: + dashed_name: process-session-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.session_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.session_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.session_leader.entity_id: + dashed_name: process-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.session_leader.entry_meta.source.address: + dashed_name: process-session-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.session_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.session_leader.entry_meta.source.as.number: + dashed_name: process-session-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.session_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.session_leader.entry_meta.source.as.organization.name: + dashed_name: process-session-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.session_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.session_leader.entry_meta.source.bytes: + dashed_name: process-session-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.session_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.session_leader.entry_meta.source.domain: + dashed_name: process-session-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.session_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.session_leader.entry_meta.source.geo.city_name: + dashed_name: process-session-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.session_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.session_leader.entry_meta.source.geo.continent_code: + dashed_name: process-session-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.session_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.session_leader.entry_meta.source.geo.continent_name: + dashed_name: process-session-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.session_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.session_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.session_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.session_leader.entry_meta.source.geo.country_name: + dashed_name: process-session-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.session_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.session_leader.entry_meta.source.geo.location: + dashed_name: process-session-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.session_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.session_leader.entry_meta.source.geo.name: + dashed_name: process-session-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.session_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.session_leader.entry_meta.source.geo.postal_code: + dashed_name: process-session-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.session_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.session_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.session_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.session_leader.entry_meta.source.geo.region_name: + dashed_name: process-session-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.session_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.session_leader.entry_meta.source.geo.timezone: + dashed_name: process-session-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.session_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.session_leader.entry_meta.source.ip: + dashed_name: process-session-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.session_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.session_leader.entry_meta.source.mac: + dashed_name: process-session-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.session_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.session_leader.entry_meta.source.nat.ip: + dashed_name: process-session-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.session_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.session_leader.entry_meta.source.nat.port: + dashed_name: process-session-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.session_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.session_leader.entry_meta.source.packets: + dashed_name: process-session-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.session_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.session_leader.entry_meta.source.port: + dashed_name: process-session-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.session_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.session_leader.entry_meta.source.registered_domain: + dashed_name: process-session-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.session_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.session_leader.entry_meta.source.subdomain: + dashed_name: process-session-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.session_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.session_leader.entry_meta.source.top_level_domain: + dashed_name: process-session-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.session_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.session_leader.entry_meta.type: + dashed_name: process-session-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.session_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.session_leader.env_vars: + dashed_name: process-session-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.session_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.session_leader.executable: + dashed_name: process-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.session_leader.exit_code: + dashed_name: process-session-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.session_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.session_leader.group.domain: + dashed_name: process-session-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.group.id: + dashed_name: process-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.group.name: + dashed_name: process-session-leader-group-name + description: Name of the group. + flat_name: process.session_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.session_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.session_leader.hash.md5: + dashed_name: process-session-leader-hash-md5 + description: MD5 hash. + flat_name: process.session_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.session_leader.hash.sha1: + dashed_name: process-session-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.session_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.session_leader.hash.sha256: + dashed_name: process-session-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.session_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.session_leader.hash.sha384: + dashed_name: process-session-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.session_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.session_leader.hash.sha512: + dashed_name: process-session-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.session_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.session_leader.hash.ssdeep: + dashed_name: process-session-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.session_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.session_leader.hash.tlsh: + dashed_name: process-session-leader-hash-tlsh + description: TLSH hash. + flat_name: process.session_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.session_leader.interactive: + dashed_name: process-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.session_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.session_leader.io: + dashed_name: process-session-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.session_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.session_leader.io.bytes_skipped: + dashed_name: process-session-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.session_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.session_leader.io.bytes_skipped.length: + dashed_name: process-session-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.session_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.session_leader.io.bytes_skipped.offset: + dashed_name: process-session-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.session_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.session_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-session-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.session_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.session_leader.io.text: + dashed_name: process-session-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.session_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.session_leader.io.total_bytes_captured: + dashed_name: process-session-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.session_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.session_leader.io.total_bytes_skipped: + dashed_name: process-session-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.session_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.session_leader.io.type: + dashed_name: process-session-leader-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.session_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.session_leader.macho.go_import_hash: + dashed_name: process-session-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.session_leader.macho.go_imports: + dashed_name: process-session-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.session_leader.macho.go_imports_names_entropy: + dashed_name: process-session-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.macho.go_imports_names_var_entropy: + dashed_name: process-session-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.macho.go_stripped: + dashed_name: process-session-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.macho.import_hash: + dashed_name: process-session-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.session_leader.macho.imports: + dashed_name: process-session-leader-macho-imports + description: List of imported element names and types. + flat_name: process.session_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.session_leader.macho.imports_names_entropy: + dashed_name: process-session-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.macho.imports_names_var_entropy: + dashed_name: process-session-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.macho.sections: + dashed_name: process-session-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.session_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.session_leader.macho.sections.entropy: + dashed_name: process-session-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.session_leader.macho.sections.name: + dashed_name: process-session-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.session_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.session_leader.macho.sections.physical_size: + dashed_name: process-session-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.session_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.session_leader.macho.sections.var_entropy: + dashed_name: process-session-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.macho.sections.virtual_size: + dashed_name: process-session-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.session_leader.macho.symhash: + dashed_name: process-session-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.session_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.session_leader.name: + dashed_name: process-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.session_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.session_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.session_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.session_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.session_leader.parent.args: + dashed_name: process-session-leader-parent-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.parent.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.session_leader.parent.args_count: + dashed_name: process-session-leader-parent-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.session_leader.parent.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.session_leader.parent.attested_groups.domain: + dashed_name: process-session-leader-parent-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.attested_groups.id: + dashed_name: process-session-leader-parent-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.attested_groups.name: + dashed_name: process-session-leader-parent-attested-groups-name + description: Name of the group. + flat_name: process.session_leader.parent.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.attested_user.domain: + dashed_name: process-session-leader-parent-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.attested_user.email: + dashed_name: process-session-leader-parent-attested-user-email + description: User email address. + flat_name: process.session_leader.parent.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.attested_user.entity.id: + dashed_name: process-session-leader-parent-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.attested_user.full_name: + dashed_name: process-session-leader-parent-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.attested_user.group.domain: + dashed_name: process-session-leader-parent-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.attested_user.group.id: + dashed_name: process-session-leader-parent-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.attested_user.group.name: + dashed_name: process-session-leader-parent-attested-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.attested_user.hash: + dashed_name: process-session-leader-parent-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.attested_user.id: + dashed_name: process-session-leader-parent-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.parent.attested_user.name: + dashed_name: process-session-leader-parent-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.parent.attested_user.risk.calculated_level: + dashed_name: process-session-leader-parent-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.attested_user.risk.calculated_score: + dashed_name: process-session-leader-parent-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.attested_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.attested_user.risk.static_level: + dashed_name: process-session-leader-parent-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.parent.attested_user.risk.static_score: + dashed_name: process-session-leader-parent-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.attested_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.attested_user.roles: + dashed_name: process-session-leader-parent-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.code_signature.digest_algorithm: + dashed_name: process-session-leader-parent-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.session_leader.parent.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.session_leader.parent.code_signature.exists: + dashed_name: process-session-leader-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.session_leader.parent.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.session_leader.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.session_leader.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.session_leader.parent.code_signature.signing_id: + dashed_name: process-session-leader-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.session_leader.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.session_leader.parent.code_signature.status: + dashed_name: process-session-leader-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.session_leader.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.session_leader.parent.code_signature.subject_name: + dashed_name: process-session-leader-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.session_leader.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.session_leader.parent.code_signature.team_id: + dashed_name: process-session-leader-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.session_leader.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.session_leader.parent.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.session_leader.parent.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.session_leader.parent.code_signature.timestamp: + dashed_name: process-session-leader-parent-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.session_leader.parent.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.session_leader.parent.code_signature.trusted: + dashed_name: process-session-leader-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.session_leader.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.session_leader.parent.code_signature.valid: + dashed_name: process-session-leader-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.session_leader.parent.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.session_leader.parent.command_line: + dashed_name: process-session-leader-parent-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.parent.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.parent.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.session_leader.parent.elf.architecture: + dashed_name: process-session-leader-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.session_leader.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.session_leader.parent.elf.byte_order: + dashed_name: process-session-leader-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.session_leader.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.session_leader.parent.elf.cpu_type: + dashed_name: process-session-leader-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.session_leader.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.session_leader.parent.elf.creation_date: + dashed_name: process-session-leader-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.session_leader.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.session_leader.parent.elf.exports: + dashed_name: process-session-leader-parent-elf-exports + description: List of exported element names and types. + flat_name: process.session_leader.parent.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.session_leader.parent.elf.go_import_hash: + dashed_name: process-session-leader-parent-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.session_leader.parent.elf.go_imports: + dashed_name: process-session-leader-parent-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.session_leader.parent.elf.go_imports_names_entropy: + dashed_name: process-session-leader-parent-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.elf.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.elf.go_stripped: + dashed_name: process-session-leader-parent-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.parent.elf.header.abi_version: + dashed_name: process-session-leader-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.session_leader.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.session_leader.parent.elf.header.class: + dashed_name: process-session-leader-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.session_leader.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.session_leader.parent.elf.header.data: + dashed_name: process-session-leader-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.session_leader.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.session_leader.parent.elf.header.entrypoint: + dashed_name: process-session-leader-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.session_leader.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.session_leader.parent.elf.header.object_version: + dashed_name: process-session-leader-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.session_leader.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.session_leader.parent.elf.header.os_abi: + dashed_name: process-session-leader-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.session_leader.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.session_leader.parent.elf.header.type: + dashed_name: process-session-leader-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.session_leader.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.session_leader.parent.elf.header.version: + dashed_name: process-session-leader-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.session_leader.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.session_leader.parent.elf.import_hash: + dashed_name: process-session-leader-parent-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.session_leader.parent.elf.imports: + dashed_name: process-session-leader-parent-elf-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.session_leader.parent.elf.imports_names_entropy: + dashed_name: process-session-leader-parent-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.parent.elf.imports_names_var_entropy: + dashed_name: process-session-leader-parent-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.parent.elf.sections: + dashed_name: process-session-leader-parent-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.session_leader.parent.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.session_leader.parent.elf.sections.chi2: + dashed_name: process-session-leader-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.session_leader.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.session_leader.parent.elf.sections.entropy: + dashed_name: process-session-leader-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.session_leader.parent.elf.sections.flags: + dashed_name: process-session-leader-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.session_leader.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.session_leader.parent.elf.sections.name: + dashed_name: process-session-leader-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.session_leader.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.session_leader.parent.elf.sections.physical_offset: + dashed_name: process-session-leader-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.session_leader.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.session_leader.parent.elf.sections.physical_size: + dashed_name: process-session-leader-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.session_leader.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.session_leader.parent.elf.sections.type: + dashed_name: process-session-leader-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.session_leader.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.session_leader.parent.elf.sections.var_entropy: + dashed_name: process-session-leader-parent-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.parent.elf.sections.virtual_address: + dashed_name: process-session-leader-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.session_leader.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.session_leader.parent.elf.sections.virtual_size: + dashed_name: process-session-leader-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.session_leader.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.session_leader.parent.elf.segments: + dashed_name: process-session-leader-parent-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.session_leader.parent.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.session_leader.parent.elf.segments.sections: + dashed_name: process-session-leader-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.session_leader.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.session_leader.parent.elf.segments.type: + dashed_name: process-session-leader-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.session_leader.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.session_leader.parent.elf.shared_libraries: + dashed_name: process-session-leader-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.session_leader.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.session_leader.parent.elf.telfhash: + dashed_name: process-session-leader-parent-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.session_leader.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.session_leader.parent.end: + dashed_name: process-session-leader-parent-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.session_leader.parent.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.session_leader.parent.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.session_leader.parent.entity_id: + dashed_name: process-session-leader-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.session_leader.parent.entry_meta.source.address: + dashed_name: process-session-leader-parent-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.session_leader.parent.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.session_leader.parent.entry_meta.source.as.number: + dashed_name: process-session-leader-parent-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.session_leader.parent.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.session_leader.parent.entry_meta.source.as.organization.name: + dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.session_leader.parent.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.session_leader.parent.entry_meta.source.bytes: + dashed_name: process-session-leader-parent-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.session_leader.parent.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.session_leader.parent.entry_meta.source.domain: + dashed_name: process-session-leader-parent-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.session_leader.parent.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.session_leader.parent.entry_meta.source.geo.city_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.session_leader.parent.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.session_leader.parent.entry_meta.source.geo.continent_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.session_leader.parent.entry_meta.source.geo.continent_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.session_leader.parent.entry_meta.source.geo.country_iso_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.session_leader.parent.entry_meta.source.geo.country_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.session_leader.parent.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.session_leader.parent.entry_meta.source.geo.location: + dashed_name: process-session-leader-parent-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.session_leader.parent.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.session_leader.parent.entry_meta.source.geo.name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.session_leader.parent.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.session_leader.parent.entry_meta.source.geo.postal_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.session_leader.parent.entry_meta.source.geo.region_iso_code: + dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.session_leader.parent.entry_meta.source.geo.region_name: + dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.session_leader.parent.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.session_leader.parent.entry_meta.source.geo.timezone: + dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.session_leader.parent.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.session_leader.parent.entry_meta.source.ip: + dashed_name: process-session-leader-parent-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.session_leader.parent.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.session_leader.parent.entry_meta.source.mac: + dashed_name: process-session-leader-parent-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.session_leader.parent.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.session_leader.parent.entry_meta.source.nat.ip: + dashed_name: process-session-leader-parent-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.session_leader.parent.entry_meta.source.nat.port: + dashed_name: process-session-leader-parent-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.session_leader.parent.entry_meta.source.packets: + dashed_name: process-session-leader-parent-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.session_leader.parent.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.session_leader.parent.entry_meta.source.port: + dashed_name: process-session-leader-parent-entry-meta-source-port + description: Port of the source. + flat_name: process.session_leader.parent.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.session_leader.parent.entry_meta.source.registered_domain: + dashed_name: process-session-leader-parent-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.session_leader.parent.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.session_leader.parent.entry_meta.source.subdomain: + dashed_name: process-session-leader-parent-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.session_leader.parent.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.session_leader.parent.entry_meta.source.top_level_domain: + dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.session_leader.parent.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.session_leader.parent.entry_meta.type: + dashed_name: process-session-leader-parent-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.session_leader.parent.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.session_leader.parent.env_vars: + dashed_name: process-session-leader-parent-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.session_leader.parent.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.executable: + dashed_name: process-session-leader-parent-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.parent.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.session_leader.parent.exit_code: + dashed_name: process-session-leader-parent-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.session_leader.parent.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.session_leader.parent.group.domain: + dashed_name: process-session-leader-parent-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.group.id: + dashed_name: process-session-leader-parent-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.group.name: + dashed_name: process-session-leader-parent-group-name + description: Name of the group. + flat_name: process.session_leader.parent.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.session_leader.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.session_leader.parent.hash.md5: + dashed_name: process-session-leader-parent-hash-md5 + description: MD5 hash. + flat_name: process.session_leader.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.session_leader.parent.hash.sha1: + dashed_name: process-session-leader-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.session_leader.parent.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.session_leader.parent.hash.sha256: + dashed_name: process-session-leader-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.session_leader.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.session_leader.parent.hash.sha384: + dashed_name: process-session-leader-parent-hash-sha384 + description: SHA384 hash. + flat_name: process.session_leader.parent.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.session_leader.parent.hash.sha512: + dashed_name: process-session-leader-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.session_leader.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.session_leader.parent.hash.ssdeep: + dashed_name: process-session-leader-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.session_leader.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.session_leader.parent.hash.tlsh: + dashed_name: process-session-leader-parent-hash-tlsh + description: TLSH hash. + flat_name: process.session_leader.parent.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.session_leader.parent.interactive: + dashed_name: process-session-leader-parent-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.session_leader.parent.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.session_leader.parent.io: + dashed_name: process-session-leader-parent-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.session_leader.parent.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.session_leader.parent.io.bytes_skipped: + dashed_name: process-session-leader-parent-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.session_leader.parent.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.session_leader.parent.io.bytes_skipped.length: + dashed_name: process-session-leader-parent-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.session_leader.parent.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.session_leader.parent.io.bytes_skipped.offset: + dashed_name: process-session-leader-parent-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.session_leader.parent.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.session_leader.parent.io.max_bytes_per_process_exceeded: + dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.session_leader.parent.io.text: + dashed_name: process-session-leader-parent-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.session_leader.parent.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.session_leader.parent.io.total_bytes_captured: + dashed_name: process-session-leader-parent-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.session_leader.parent.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.session_leader.parent.io.total_bytes_skipped: + dashed_name: process-session-leader-parent-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.session_leader.parent.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.session_leader.parent.io.type: + dashed_name: process-session-leader-parent-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.session_leader.parent.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.session_leader.parent.macho.go_import_hash: + dashed_name: process-session-leader-parent-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.session_leader.parent.macho.go_imports: + dashed_name: process-session-leader-parent-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.session_leader.parent.macho.go_imports_names_entropy: + dashed_name: process-session-leader-parent-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.macho.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.macho.go_stripped: + dashed_name: process-session-leader-parent-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.parent.macho.import_hash: + dashed_name: process-session-leader-parent-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.session_leader.parent.macho.imports: + dashed_name: process-session-leader-parent-macho-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.session_leader.parent.macho.imports_names_entropy: + dashed_name: process-session-leader-parent-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.parent.macho.imports_names_var_entropy: + dashed_name: process-session-leader-parent-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.parent.macho.sections: + dashed_name: process-session-leader-parent-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.session_leader.parent.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.session_leader.parent.macho.sections.entropy: + dashed_name: process-session-leader-parent-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.session_leader.parent.macho.sections.name: + dashed_name: process-session-leader-parent-macho-sections-name + description: Mach-O Section List name. + flat_name: process.session_leader.parent.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.session_leader.parent.macho.sections.physical_size: + dashed_name: process-session-leader-parent-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.session_leader.parent.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.session_leader.parent.macho.sections.var_entropy: + dashed_name: process-session-leader-parent-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.parent.macho.sections.virtual_size: + dashed_name: process-session-leader-parent-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.session_leader.parent.macho.symhash: + dashed_name: process-session-leader-parent-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.session_leader.parent.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.session_leader.parent.name: + dashed_name: process-session-leader-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.parent.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.session_leader.parent.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.session_leader.parent.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.session_leader.parent.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.session_leader.parent.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.session_leader.parent.pe.architecture: + dashed_name: process-session-leader-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.session_leader.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.session_leader.parent.pe.company: + dashed_name: process-session-leader-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.session_leader.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.session_leader.parent.pe.description: + dashed_name: process-session-leader-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.session_leader.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.session_leader.parent.pe.file_version: + dashed_name: process-session-leader-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.session_leader.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.session_leader.parent.pe.go_import_hash: + dashed_name: process-session-leader-parent-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.session_leader.parent.pe.go_imports: + dashed_name: process-session-leader-parent-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.session_leader.parent.pe.go_imports_names_entropy: + dashed_name: process-session-leader-parent-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.pe.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.pe.go_stripped: + dashed_name: process-session-leader-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.parent.pe.imphash: + dashed_name: process-session-leader-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.session_leader.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.session_leader.parent.pe.import_hash: + dashed_name: process-session-leader-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.session_leader.parent.pe.imports: + dashed_name: process-session-leader-parent-pe-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.session_leader.parent.pe.imports_names_entropy: + dashed_name: process-session-leader-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.parent.pe.imports_names_var_entropy: + dashed_name: process-session-leader-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.parent.pe.original_file_name: + dashed_name: process-session-leader-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.session_leader.parent.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.session_leader.parent.pe.pehash: + dashed_name: process-session-leader-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.session_leader.parent.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.session_leader.parent.pe.product: + dashed_name: process-session-leader-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.session_leader.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.session_leader.parent.pe.sections: + dashed_name: process-session-leader-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.session_leader.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.session_leader.parent.pe.sections.entropy: + dashed_name: process-session-leader-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.session_leader.parent.pe.sections.name: + dashed_name: process-session-leader-parent-pe-sections-name + description: PE Section List name. + flat_name: process.session_leader.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.session_leader.parent.pe.sections.physical_size: + dashed_name: process-session-leader-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.session_leader.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.session_leader.parent.pe.sections.var_entropy: + dashed_name: process-session-leader-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.parent.pe.sections.virtual_size: + dashed_name: process-session-leader-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.session_leader.parent.pid: + dashed_name: process-session-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.session_leader.parent.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.session_leader.parent.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.session_leader.parent.real_group.domain: + dashed_name: process-session-leader-parent-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.real_group.id: + dashed_name: process-session-leader-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.real_group.name: + dashed_name: process-session-leader-parent-real-group-name + description: Name of the group. + flat_name: process.session_leader.parent.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.real_user.domain: + dashed_name: process-session-leader-parent-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.real_user.email: + dashed_name: process-session-leader-parent-real-user-email + description: User email address. + flat_name: process.session_leader.parent.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.real_user.entity.id: + dashed_name: process-session-leader-parent-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.real_user.full_name: + dashed_name: process-session-leader-parent-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.real_user.group.domain: + dashed_name: process-session-leader-parent-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.real_user.group.id: + dashed_name: process-session-leader-parent-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.real_user.group.name: + dashed_name: process-session-leader-parent-real-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.real_user.hash: + dashed_name: process-session-leader-parent-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.real_user.id: + dashed_name: process-session-leader-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.parent.real_user.name: + dashed_name: process-session-leader-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.parent.real_user.risk.calculated_level: + dashed_name: process-session-leader-parent-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.real_user.risk.calculated_score: + dashed_name: process-session-leader-parent-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.real_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.real_user.risk.static_level: + dashed_name: process-session-leader-parent-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.parent.real_user.risk.static_score: + dashed_name: process-session-leader-parent-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.real_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.real_user.roles: + dashed_name: process-session-leader-parent-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.same_as_process: + dashed_name: process-session-leader-parent-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.session_leader.parent.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.session_leader.parent.saved_group.domain: + dashed_name: process-session-leader-parent-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.saved_group.id: + dashed_name: process-session-leader-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.saved_group.name: + dashed_name: process-session-leader-parent-saved-group-name + description: Name of the group. + flat_name: process.session_leader.parent.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.saved_user.domain: + dashed_name: process-session-leader-parent-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.saved_user.email: + dashed_name: process-session-leader-parent-saved-user-email + description: User email address. + flat_name: process.session_leader.parent.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.saved_user.entity.id: + dashed_name: process-session-leader-parent-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.saved_user.full_name: + dashed_name: process-session-leader-parent-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.saved_user.group.domain: + dashed_name: process-session-leader-parent-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.saved_user.group.id: + dashed_name: process-session-leader-parent-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.saved_user.group.name: + dashed_name: process-session-leader-parent-saved-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.saved_user.hash: + dashed_name: process-session-leader-parent-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.saved_user.id: + dashed_name: process-session-leader-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.saved_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.parent.saved_user.name: + dashed_name: process-session-leader-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.parent.saved_user.risk.calculated_level: + dashed_name: process-session-leader-parent-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.saved_user.risk.calculated_score: + dashed_name: process-session-leader-parent-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.saved_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.saved_user.risk.static_level: + dashed_name: process-session-leader-parent-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.parent.saved_user.risk.static_score: + dashed_name: process-session-leader-parent-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.saved_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.saved_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.saved_user.roles: + dashed_name: process-session-leader-parent-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.session_leader.args: + dashed_name: process-session-leader-parent-session-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.parent.session_leader.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.session_leader.parent.session_leader.args_count: + dashed_name: process-session-leader-parent-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.session_leader.parent.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.session_leader.parent.session_leader.attested_groups.domain: + dashed_name: process-session-leader-parent-session-leader-attested-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.attested_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.attested_groups.id: + dashed_name: process-session-leader-parent-session-leader-attested-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.attested_groups.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.session_leader.attested_groups.name: + dashed_name: process-session-leader-parent-session-leader-attested-groups-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.attested_groups.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.session_leader.attested_user.domain: + dashed_name: process-session-leader-parent-session-leader-attested-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.attested_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.session_leader.attested_user.email: + dashed_name: process-session-leader-parent-session-leader-attested-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.attested_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.session_leader.attested_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.session_leader.attested_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.id: + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.session_leader.attested_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.session_leader.attested_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.session_leader.attested_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.session_leader.attested_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.session_leader.attested_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.session_leader.attested_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.session_leader.attested_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.attested_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.session_leader.attested_user.full_name: + dashed_name: process-session-leader-parent-session-leader-attested-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.attested_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.session_leader.attested_user.group.domain: + dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.attested_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.attested_user.group.id: + dashed_name: process-session-leader-parent-session-leader-attested-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.attested_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.session_leader.attested_user.group.name: + dashed_name: process-session-leader-parent-session-leader-attested-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.attested_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.session_leader.attested_user.hash: + dashed_name: process-session-leader-parent-session-leader-attested-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.attested_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.session_leader.attested_user.id: + dashed_name: process-session-leader-parent-session-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.session_leader.attested_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.parent.session_leader.attested_user.name: + dashed_name: process-session-leader-parent-session-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.session_leader.attested_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.attested_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.parent.session_leader.attested_user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.session_leader.attested_user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.session_leader.attested_user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.parent.session_leader.attested_user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.session_leader.attested_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.session_leader.attested_user.roles: + dashed_name: process-session-leader-parent-session-leader-attested-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.attested_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.session_leader.code_signature.digest_algorithm: + dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm + ignore_above: 1024 + level: extended + name: digest_algorithm + normalize: [] + original_fieldset: code_signature + short: Hashing algorithm used to sign the process. + type: keyword + process.session_leader.parent.session_leader.code_signature.exists: + dashed_name: process-session-leader-parent-session-leader-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.session_leader.parent.session_leader.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.session_leader.parent.session_leader.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.session_leader.parent.session_leader.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword + process.session_leader.parent.session_leader.code_signature.signing_id: + dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.session_leader.parent.session_leader.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + process.session_leader.parent.session_leader.code_signature.status: + dashed_name: process-session-leader-parent-session-leader-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.session_leader.parent.session_leader.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.session_leader.parent.session_leader.code_signature.subject_name: + dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.session_leader.parent.session_leader.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.session_leader.parent.session_leader.code_signature.team_id: + dashed_name: process-session-leader-parent-session-leader-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.session_leader.parent.session_leader.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + process.session_leader.parent.session_leader.code_signature.thumbprint_sha256: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256 + description: Certificate SHA256 hash that uniquely identifies the code signer. + example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b + flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256 + ignore_above: 64 + level: extended + name: thumbprint_sha256 + normalize: [] + original_fieldset: code_signature + pattern: ^[0-9a-f]{64}$ + short: SHA256 hash of the certificate. + type: keyword + process.session_leader.parent.session_leader.code_signature.timestamp: + dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + flat_name: process.session_leader.parent.session_leader.code_signature.timestamp + level: extended + name: timestamp + normalize: [] + original_fieldset: code_signature + short: When the signature was generated and signed. + type: date + process.session_leader.parent.session_leader.code_signature.trusted: + dashed_name: process-session-leader-parent-session-leader-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.session_leader.parent.session_leader.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.session_leader.parent.session_leader.code_signature.valid: + dashed_name: process-session-leader-parent-session-leader-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.session_leader.parent.session_leader.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.session_leader.parent.session_leader.command_line: + dashed_name: process-session-leader-parent-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.parent.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.session_leader.parent.session_leader.elf.architecture: + dashed_name: process-session-leader-parent-session-leader-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.session_leader.parent.session_leader.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.byte_order: + dashed_name: process-session-leader-parent-session-leader-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.session_leader.parent.session_leader.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.cpu_type: + dashed_name: process-session-leader-parent-session-leader-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.session_leader.parent.session_leader.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.creation_date: + dashed_name: process-session-leader-parent-session-leader-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.session_leader.parent.session_leader.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.session_leader.parent.session_leader.elf.exports: + dashed_name: process-session-leader-parent-session-leader-elf-exports + description: List of exported element names and types. + flat_name: process.session_leader.parent.session_leader.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.session_leader.parent.session_leader.elf.go_import_hash: + dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash + description: 'A hash of the Go language imports in an ELF file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.session_leader.elf.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: elf + short: A hash of the Go language imports in an ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.go_imports: + dashed_name: process-session-leader-parent-session-leader-elf-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.session_leader.elf.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: elf + short: List of imported Go language element names and types. + type: flattened + process.session_leader.parent.session_leader.elf.go_imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.session_leader.elf.go_stripped: + dashed_name: process-session-leader-parent-session-leader-elf-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.session_leader.elf.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: elf + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.parent.session_leader.elf.header.abi_version: + dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.session_leader.parent.session_leader.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.session_leader.parent.session_leader.elf.header.class: + dashed_name: process-session-leader-parent-session-leader-elf-header-class + description: Header class of the ELF file. + flat_name: process.session_leader.parent.session_leader.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.header.data: + dashed_name: process-session-leader-parent-session-leader-elf-header-data + description: Data table of the ELF header. + flat_name: process.session_leader.parent.session_leader.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.session_leader.parent.session_leader.elf.header.entrypoint: + dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.session_leader.parent.session_leader.elf.header.object_version: + dashed_name: process-session-leader-parent-session-leader-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.session_leader.parent.session_leader.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.session_leader.parent.session_leader.elf.header.os_abi: + dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.session_leader.parent.session_leader.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.session_leader.parent.session_leader.elf.header.type: + dashed_name: process-session-leader-parent-session-leader-elf-header-type + description: Header type of the ELF file. + flat_name: process.session_leader.parent.session_leader.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.header.version: + dashed_name: process-session-leader-parent-session-leader-elf-header-version + description: Version of the ELF header. + flat_name: process.session_leader.parent.session_leader.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.session_leader.parent.session_leader.elf.import_hash: + dashed_name: process-session-leader-parent-session-leader-elf-import-hash + description: 'A hash of the imports in an ELF file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is an ELF implementation of the Windows PE imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.session_leader.elf.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: elf + short: A hash of the imports in an ELF file. + type: keyword + process.session_leader.parent.session_leader.elf.imports: + dashed_name: process-session-leader-parent-session-leader-elf-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.session_leader.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.session_leader.parent.session_leader.elf.imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.parent.session_leader.elf.imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.parent.session_leader.elf.sections: + dashed_name: process-session-leader-parent-session-leader-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.session_leader.parent.session_leader.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.session_leader.parent.session_leader.elf.sections.chi2: + dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.session_leader.parent.session_leader.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.session_leader.parent.session_leader.elf.sections.entropy: + dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.session_leader.parent.session_leader.elf.sections.flags: + dashed_name: process-session-leader-parent-session-leader-elf-sections-flags + description: ELF Section List flags. + flat_name: process.session_leader.parent.session_leader.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.session_leader.parent.session_leader.elf.sections.name: + dashed_name: process-session-leader-parent-session-leader-elf-sections-name + description: ELF Section List name. + flat_name: process.session_leader.parent.session_leader.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.session_leader.parent.session_leader.elf.sections.physical_offset: + dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.session_leader.parent.session_leader.elf.sections.physical_size: + dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.session_leader.parent.session_leader.elf.sections.type: + dashed_name: process-session-leader-parent-session-leader-elf-sections-type + description: ELF Section List type. + flat_name: process.session_leader.parent.session_leader.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.session_leader.parent.session_leader.elf.sections.var_entropy: + dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: elf + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.parent.session_leader.elf.sections.virtual_address: + dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.session_leader.parent.session_leader.elf.sections.virtual_size: + dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.session_leader.parent.session_leader.elf.segments: + dashed_name: process-session-leader-parent-session-leader-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.session_leader.parent.session_leader.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.session_leader.parent.session_leader.elf.segments.sections: + dashed_name: process-session-leader-parent-session-leader-elf-segments-sections + description: ELF object segment sections. + flat_name: process.session_leader.parent.session_leader.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.session_leader.parent.session_leader.elf.segments.type: + dashed_name: process-session-leader-parent-session-leader-elf-segments-type + description: ELF object segment type. + flat_name: process.session_leader.parent.session_leader.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.session_leader.parent.session_leader.elf.shared_libraries: + dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.session_leader.parent.session_leader.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.session_leader.parent.session_leader.elf.telfhash: + dashed_name: process-session-leader-parent-session-leader-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.session_leader.parent.session_leader.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + process.session_leader.parent.session_leader.end: + dashed_name: process-session-leader-parent-session-leader-end + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.session_leader.end + level: extended + name: end + normalize: [] + original_fieldset: process + short: The time the process ended. + type: date + process.session_leader.parent.session_leader.endpoint_security_client: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-endpoint-security-client + description: Processes that have an endpoint security client must have the com.apple.endpointsecurity + entitlement and the value is set to true in the message. + flat_name: process.session_leader.parent.session_leader.endpoint_security_client + level: extended + name: endpoint_security_client + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is an Endpoint Security client. + type: boolean + process.session_leader.parent.session_leader.entity_id: + dashed_name: process-session-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.address: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + original_fieldset: source + short: Source network address. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.as.number: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + process.session_leader.parent.session_leader.entry_meta.source.as.organization.name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text + name: text + type: match_only_text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.bytes: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes + format: bytes + level: core + name: bytes + normalize: [] + original_fieldset: source + short: Bytes sent from the source to the destination. + type: long + process.session_leader.parent.session_leader.entry_meta.source.domain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain + description: 'The domain name of the source system. + + This value may be a host name, a fully qualified domain name, or another host + naming format. The value may derive from the original event or be added from + enrichment.' + example: foo.example.com + flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain + ignore_above: 1024 + level: core + name: domain + normalize: [] + original_fieldset: source + short: The domain name of the source. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.city_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name + description: City name. + example: Montreal + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.country_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name + description: Country name. + example: Canada + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.location: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + process.session_leader.parent.session_leader.entry_meta.source.geo.name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.region_name: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name + description: Region name. + example: Quebec + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.geo.timezone: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.ip: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.session_leader.parent.session_leader.entry_meta.source.mac: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + original_fieldset: source + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + short: MAC address of the source. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.nat.ip: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip + level: extended + name: nat.ip + normalize: [] + original_fieldset: source + short: Source NAT ip + type: ip + process.session_leader.parent.session_leader.entry_meta.source.nat.port: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + original_fieldset: source + short: Source NAT port + type: long + process.session_leader.parent.session_leader.entry_meta.source.packets: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets + level: core + name: packets + normalize: [] + original_fieldset: source + short: Packets sent from the source to the destination. + type: long + process.session_leader.parent.session_leader.entry_meta.source.port: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port + description: Port of the source. + flat_name: process.session_leader.parent.session_leader.entry_meta.source.port + format: string + level: core + name: port + normalize: [] + original_fieldset: source + short: Port of the source. + type: long + process.session_leader.parent.session_leader.entry_meta.source.registered_domain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: source + short: The highest registered source domain, stripped of the subdomain. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.subdomain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: source + short: The subdomain of the domain. + type: keyword + process.session_leader.parent.session_leader.entry_meta.source.top_level_domain: + dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (https://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: source + short: The effective top level domain (com, org, net, co.uk). + type: keyword + process.session_leader.parent.session_leader.entry_meta.type: + dashed_name: process-session-leader-parent-session-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.session_leader.parent.session_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.session_leader.parent.session_leader.env_vars: + dashed_name: process-session-leader-parent-session-leader-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.session_leader.parent.session_leader.env_vars + ignore_above: 1024 + level: extended + name: env_vars + normalize: + - array + original_fieldset: process + short: Array of environment variable bindings. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.session_leader.executable: + dashed_name: process-session-leader-parent-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.parent.session_leader.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.session_leader.parent.session_leader.exit_code: + dashed_name: process-session-leader-parent-session-leader-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.session_leader.parent.session_leader.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.session_leader.parent.session_leader.group.domain: + dashed_name: process-session-leader-parent-session-leader-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.group.id: + dashed_name: process-session-leader-parent-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.session_leader.group.name: + dashed_name: process-session-leader-parent-session-leader-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.session_leader.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.session_leader.parent.session_leader.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.session_leader.parent.session_leader.hash.md5: + dashed_name: process-session-leader-parent-session-leader-hash-md5 + description: MD5 hash. + flat_name: process.session_leader.parent.session_leader.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.session_leader.parent.session_leader.hash.sha1: + dashed_name: process-session-leader-parent-session-leader-hash-sha1 + description: SHA1 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.session_leader.parent.session_leader.hash.sha256: + dashed_name: process-session-leader-parent-session-leader-hash-sha256 + description: SHA256 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.session_leader.parent.session_leader.hash.sha384: + dashed_name: process-session-leader-parent-session-leader-hash-sha384 + description: SHA384 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha384 + ignore_above: 1024 + level: extended + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. + type: keyword + process.session_leader.parent.session_leader.hash.sha512: + dashed_name: process-session-leader-parent-session-leader-hash-sha512 + description: SHA512 hash. + flat_name: process.session_leader.parent.session_leader.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.session_leader.parent.session_leader.hash.ssdeep: + dashed_name: process-session-leader-parent-session-leader-hash-ssdeep + description: SSDEEP hash. + flat_name: process.session_leader.parent.session_leader.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.session_leader.parent.session_leader.hash.tlsh: + dashed_name: process-session-leader-parent-session-leader-hash-tlsh + description: TLSH hash. + flat_name: process.session_leader.parent.session_leader.hash.tlsh + ignore_above: 1024 + level: extended + name: tlsh + normalize: [] + original_fieldset: hash + short: TLSH hash. + type: keyword + process.session_leader.parent.session_leader.interactive: + dashed_name: process-session-leader-parent-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.session_leader.parent.session_leader.interactive + level: extended + name: interactive + normalize: [] + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.session_leader.parent.session_leader.io: + dashed_name: process-session-leader-parent-session-leader-io + description: 'A chunk of input or output (IO) from a single process. + + This field only appears on the top level process object, which is the process + that wrote the output or read the input.' + flat_name: process.session_leader.parent.session_leader.io + level: extended + name: io + normalize: [] + original_fieldset: process + short: A chunk of input or output (IO) from a single process. + type: object + process.session_leader.parent.session_leader.io.bytes_skipped: + dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped + description: An array of byte offsets and lengths denoting where IO data has + been skipped. + flat_name: process.session_leader.parent.session_leader.io.bytes_skipped + level: extended + name: io.bytes_skipped + normalize: + - array + original_fieldset: process + short: An array of byte offsets and lengths denoting where IO data has been + skipped. + type: object + process.session_leader.parent.session_leader.io.bytes_skipped.length: + dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length + description: The length of bytes skipped. + flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length + level: extended + name: io.bytes_skipped.length + normalize: [] + original_fieldset: process + short: The length of bytes skipped. + type: long + process.session_leader.parent.session_leader.io.bytes_skipped.offset: + dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset + description: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset + level: extended + name: io.bytes_skipped.offset + normalize: [] + original_fieldset: process + short: The byte offset into this event's io.text (or io.bytes in the future) + where length bytes were skipped. + type: long + process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded: + dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded + description: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded + level: extended + name: io.max_bytes_per_process_exceeded + normalize: [] + original_fieldset: process + short: If true, the process producing the output has exceeded the max_kilobytes_per_process + configuration setting. + type: boolean + process.session_leader.parent.session_leader.io.text: + dashed_name: process-session-leader-parent-session-leader-io-text + description: 'A chunk of output or input sanitized to UTF-8. + + Best efforts are made to ensure complete lines are captured in these events. + Assumptions should NOT be made that multiple lines will appear in the same + event. TTY output may contain terminal control codes such as for cursor movement, + so some string queries may not match due to terminal codes inserted between + characters of a word.' + flat_name: process.session_leader.parent.session_leader.io.text + level: extended + name: io.text + normalize: [] + original_fieldset: process + short: A chunk of output or input sanitized to UTF-8. + type: wildcard + process.session_leader.parent.session_leader.io.total_bytes_captured: + dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured + description: The total number of bytes captured in this event. + flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured + level: extended + name: io.total_bytes_captured + normalize: [] + original_fieldset: process + short: The total number of bytes captured in this event. + type: long + process.session_leader.parent.session_leader.io.total_bytes_skipped: + dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped + description: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. Implementors should strive to ensure + this value is always zero + flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped + level: extended + name: io.total_bytes_skipped + normalize: [] + original_fieldset: process + short: The total number of bytes that were not captured due to implementation + restrictions such as buffer size limits. + type: long + process.session_leader.parent.session_leader.io.type: + dashed_name: process-session-leader-parent-session-leader-io-type + description: 'The type of object on which the IO action (read or write) was + taken. + + Currently only ''tty'' is supported. Other types may be added in the future + for ''file'' and ''socket'' support.' + flat_name: process.session_leader.parent.session_leader.io.type + ignore_above: 1024 + level: extended + name: io.type + normalize: [] + original_fieldset: process + short: The type of object on which the IO action (read or write) was taken. + type: keyword + process.session_leader.parent.session_leader.macho.go_import_hash: + dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash + description: 'A hash of the Go language imports in a Mach-O file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.session_leader.macho.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: macho + short: A hash of the Go language imports in a Mach-O file. + type: keyword + process.session_leader.parent.session_leader.macho.go_imports: + dashed_name: process-session-leader-parent-session-leader-macho-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.session_leader.macho.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: macho + short: List of imported Go language element names and types. + type: flattened + process.session_leader.parent.session_leader.macho.go_imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.session_leader.macho.go_stripped: + dashed_name: process-session-leader-parent-session-leader-macho-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.session_leader.macho.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: macho + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.parent.session_leader.macho.import_hash: + dashed_name: process-session-leader-parent-session-leader-macho-import-hash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a synonym for symhash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.session_leader.macho.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.session_leader.parent.session_leader.macho.imports: + dashed_name: process-session-leader-parent-session-leader-macho-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.session_leader.macho.imports + level: extended + name: imports + normalize: + - array + original_fieldset: macho + short: List of imported element names and types. + type: flattened + process.session_leader.parent.session_leader.macho.imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.parent.session_leader.macho.imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.parent.session_leader.macho.sections: + dashed_name: process-session-leader-parent-session-leader-macho-sections + description: 'An array containing an object for each section of the Mach-O file. + + The keys that should be present in these objects are defined by sub-fields + underneath `macho.sections.*`.' + flat_name: process.session_leader.parent.session_leader.macho.sections + level: extended + name: sections + normalize: + - array + original_fieldset: macho + short: Section information of the Mach-O file. + type: nested + process.session_leader.parent.session_leader.macho.sections.entropy: + dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.macho.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: macho + short: Shannon entropy calculation from the section. + type: long + process.session_leader.parent.session_leader.macho.sections.name: + dashed_name: process-session-leader-parent-session-leader-macho-sections-name + description: Mach-O Section List name. + flat_name: process.session_leader.parent.session_leader.macho.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: macho + short: Mach-O Section List name. + type: keyword + process.session_leader.parent.session_leader.macho.sections.physical_size: + dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size + description: Mach-O Section List physical size. + flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List physical size. + type: long + process.session_leader.parent.session_leader.macho.sections.var_entropy: + dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: macho + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.parent.session_leader.macho.sections.virtual_size: + dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size + description: Mach-O Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: macho + short: Mach-O Section List virtual size. This is always the same as `physical_size`. + type: long + process.session_leader.parent.session_leader.macho.symhash: + dashed_name: process-session-leader-parent-session-leader-macho-symhash + description: 'A hash of the imports in a Mach-O file. An import hash can be + used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + This is a Mach-O implementation of the Windows PE imphash' + example: d3ccf195b62a9279c3c19af1080497ec + flat_name: process.session_leader.parent.session_leader.macho.symhash + ignore_above: 1024 + level: extended + name: symhash + normalize: [] + original_fieldset: macho + short: A hash of the imports in a Mach-O file. + type: keyword + process.session_leader.parent.session_leader.name: + dashed_name: process-session-leader-parent-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.parent.session_leader.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: keyword + process.session_leader.parent.session_leader.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-origin-referrer-url + description: The URL of the webpage that linked to the process's executable + file. + example: http://example.com/article1.html + flat_name: process.session_leader.parent.session_leader.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: process + short: The URL of the webpage that linked to the process's executable file. + type: keyword + process.session_leader.parent.session_leader.origin_url: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.session_leader.parent.session_leader.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: process + short: The URL where the process's executable file is hosted. + type: keyword + process.session_leader.parent.session_leader.pe.architecture: + dashed_name: process-session-leader-parent-session-leader-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.session_leader.parent.session_leader.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.session_leader.parent.session_leader.pe.company: + dashed_name: process-session-leader-parent-session-leader-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.session_leader.parent.session_leader.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.session_leader.parent.session_leader.pe.description: + dashed_name: process-session-leader-parent-session-leader-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.session_leader.parent.session_leader.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.session_leader.parent.session_leader.pe.file_version: + dashed_name: process-session-leader-parent-session-leader-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.session_leader.parent.session_leader.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.session_leader.parent.session_leader.pe.go_import_hash: + dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash + description: 'A hash of the Go language imports in a PE file excluding standard + library imports. An import hash can be used to fingerprint binaries even after + recompilation or other code-level transformations have occurred, which would + change more traditional hash values. + + The algorithm used to calculate the Go symbol hash and a reference implementation + are available here: https://github.com/elastic/toutoumomoma' + example: 10bddcb4cee42080f76c88d9ff964491 + flat_name: process.session_leader.parent.session_leader.pe.go_import_hash + ignore_above: 1024 + level: extended + name: go_import_hash + normalize: [] + original_fieldset: pe + short: A hash of the Go language imports in a PE file. + type: keyword + process.session_leader.parent.session_leader.pe.go_imports: + dashed_name: process-session-leader-parent-session-leader-pe-go-imports + description: List of imported Go language element names and types. + flat_name: process.session_leader.parent.session_leader.pe.go_imports + level: extended + name: go_imports + normalize: [] + original_fieldset: pe + short: List of imported Go language element names and types. + type: flattened + process.session_leader.parent.session_leader.pe.go_imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy + description: Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy + format: number + level: extended + name: go_imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of Go imports. + flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy + format: number + level: extended + name: go_imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of Go imports. + type: long + process.session_leader.parent.session_leader.pe.go_stripped: + dashed_name: process-session-leader-parent-session-leader-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.session_leader.parent.session_leader.pe.go_stripped + level: extended + name: go_stripped + normalize: [] + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean + process.session_leader.parent.session_leader.pe.imphash: + dashed_name: process-session-leader-parent-session-leader-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.session_leader.parent.session_leader.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.session_leader.parent.session_leader.pe.import_hash: + dashed_name: process-session-leader-parent-session-leader-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used + to fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.session_leader.parent.session_leader.pe.import_hash + ignore_above: 1024 + level: extended + name: import_hash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.session_leader.parent.session_leader.pe.imports: + dashed_name: process-session-leader-parent-session-leader-pe-imports + description: List of imported element names and types. + flat_name: process.session_leader.parent.session_leader.pe.imports + level: extended + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened + process.session_leader.parent.session_leader.pe.imports_names_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy + format: number + level: extended + name: imports_names_entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and + types. + type: long + process.session_leader.parent.session_leader.pe.imports_names_var_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy + format: number + level: extended + name: imports_names_var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long + process.session_leader.parent.session_leader.pe.original_file_name: + dashed_name: process-session-leader-parent-session-leader-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.session_leader.parent.session_leader.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + process.session_leader.parent.session_leader.pe.pehash: + dashed_name: process-session-leader-parent-session-leader-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. + An pehash can be used to cluster files by transforming structural information + about a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.session_leader.parent.session_leader.pe.pehash + ignore_above: 1024 + level: extended + name: pehash + normalize: [] + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. + type: keyword + process.session_leader.parent.session_leader.pe.product: + dashed_name: process-session-leader-parent-session-leader-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.session_leader.parent.session_leader.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.session_leader.parent.session_leader.pe.sections: + dashed_name: process-session-leader-parent-session-leader-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields + underneath `pe.sections.*`.' + flat_name: process.session_leader.parent.session_leader.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Section information of the PE file. + type: nested + process.session_leader.parent.session_leader.pe.sections.entropy: + dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.pe.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long + process.session_leader.parent.session_leader.pe.sections.name: + dashed_name: process-session-leader-parent-session-leader-pe-sections-name + description: PE Section List name. + flat_name: process.session_leader.parent.session_leader.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: PE Section List name. + type: keyword + process.session_leader.parent.session_leader.pe.sections.physical_size: + dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long + process.session_leader.parent.session_leader.pe.sections.var_entropy: + dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long + process.session_leader.parent.session_leader.pe.sections.virtual_size: + dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.session_leader.parent.session_leader.pid: + dashed_name: process-session-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.session_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.session_leader.parent.session_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.session_leader.parent.session_leader.platform_binary + level: extended + name: platform_binary + normalize: [] + original_fieldset: process + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.session_leader.parent.session_leader.real_group.domain: + dashed_name: process-session-leader-parent-session-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.real_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.real_group.id: + dashed_name: process-session-leader-parent-session-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.session_leader.real_group.name: + dashed_name: process-session-leader-parent-session-leader-real-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.real_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.session_leader.real_user.domain: + dashed_name: process-session-leader-parent-session-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.real_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.session_leader.real_user.email: + dashed_name: process-session-leader-parent-session-leader-real-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.real_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.session_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.session_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.id: + dashed_name: process-session-leader-parent-session-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.session_leader.real_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.session_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.session_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.session_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.real_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.session_leader.real_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.session_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.real_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.session_leader.real_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.session_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.real_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.session_leader.real_user.full_name: + dashed_name: process-session-leader-parent-session-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.real_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.session_leader.real_user.group.domain: + dashed_name: process-session-leader-parent-session-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.real_user.group.id: + dashed_name: process-session-leader-parent-session-leader-real-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.real_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.session_leader.real_user.group.name: + dashed_name: process-session-leader-parent-session-leader-real-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.real_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.session_leader.real_user.hash: + dashed_name: process-session-leader-parent-session-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.session_leader.real_user.id: + dashed_name: process-session-leader-parent-session-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.session_leader.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.parent.session_leader.real_user.name: + dashed_name: process-session-leader-parent-session-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.session_leader.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.parent.session_leader.real_user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.session_leader.real_user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.session_leader.real_user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.parent.session_leader.real_user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.session_leader.real_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.session_leader.real_user.roles: + dashed_name: process-session-leader-parent-session-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.session_leader.same_as_process: + dashed_name: process-session-leader-parent-session-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.session_leader.parent.session_leader.same_as_process + level: extended + name: same_as_process + normalize: [] + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.session_leader.parent.session_leader.saved_group.domain: + dashed_name: process-session-leader-parent-session-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.saved_group.id: + dashed_name: process-session-leader-parent-session-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.saved_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.session_leader.saved_group.name: + dashed_name: process-session-leader-parent-session-leader-saved-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.saved_group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.session_leader.saved_user.domain: + dashed_name: process-session-leader-parent-session-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.session_leader.saved_user.email: + dashed_name: process-session-leader-parent-session-leader-saved-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.session_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.session_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.id: + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.session_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.session_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.session_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.session_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.session_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.session_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.session_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.session_leader.saved_user.full_name: + dashed_name: process-session-leader-parent-session-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.saved_user.full_name ignore_above: 1024 level: extended - name: sha384 + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: hash - short: SHA384 hash. + original_fieldset: user + short: User's full name, if available. type: keyword - process.parent.hash.sha512: - dashed_name: process-parent-hash-sha512 - description: SHA512 hash. - flat_name: process.parent.hash.sha512 + process.session_leader.parent.session_leader.saved_user.group.domain: + dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.saved_user.group.domain ignore_above: 1024 level: extended - name: sha512 + name: domain normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword - process.parent.hash.ssdeep: - dashed_name: process-parent-hash-ssdeep - description: SSDEEP hash. - flat_name: process.parent.hash.ssdeep + process.session_leader.parent.session_leader.saved_user.group.id: + dashed_name: process-session-leader-parent-session-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.saved_user.group.id ignore_above: 1024 level: extended - name: ssdeep + name: id normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.parent.hash.tlsh: - dashed_name: process-parent-hash-tlsh - description: TLSH hash. - flat_name: process.parent.hash.tlsh + process.session_leader.parent.session_leader.saved_user.group.name: + dashed_name: process-session-leader-parent-session-leader-saved-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.saved_user.group.name ignore_above: 1024 level: extended - name: tlsh + name: name normalize: [] - original_fieldset: hash - short: TLSH hash. + original_fieldset: group + short: Name of the group. type: keyword - process.parent.interactive: - dashed_name: process-parent-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. + process.session_leader.parent.session_leader.saved_user.hash: + dashed_name: process-session-leader-parent-session-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.parent.interactive + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.saved_user.hash + ignore_above: 1024 level: extended - name: interactive + name: hash normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.parent.macho.go_import_hash: - dashed_name: process-parent-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.macho.go_import_hash + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.session_leader.saved_user.id: + dashed_name: process-session-leader-parent-session-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.parent.session_leader.saved_user.id ignore_above: 1024 - level: extended - name: go_import_hash + level: core + name: id normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. + original_fieldset: user + short: Unique identifier of the user. type: keyword - process.parent.macho.go_imports: - dashed_name: process-parent-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.macho.go_imports - level: extended - name: go_imports + process.session_leader.parent.session_leader.saved_user.name: + dashed_name: process-session-leader-parent-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.parent.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.parent.macho.go_imports_names_entropy: - dashed_name: process-parent-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_entropy - format: number + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.parent.session_leader.saved_user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level + ignore_above: 1024 level: extended - name: go_imports_names_entropy + name: calculated_level normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.macho.go_imports_names_var_entropy: - dashed_name: process-parent-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_var_entropy - format: number + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.session_leader.saved_user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score level: extended - name: go_imports_names_var_entropy + name: calculated_score normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.macho.go_stripped: - dashed_name: process-parent-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.macho.go_stripped + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm level: extended - name: go_stripped + name: calculated_score_norm normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.macho.import_hash: - dashed_name: process-parent-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.macho.import_hash + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.session_leader.saved_user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level ignore_above: 1024 level: extended - name: import_hash + name: static_level normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. type: keyword - process.parent.macho.imports: - dashed_name: process-parent-macho-imports - description: List of imported element names and types. - flat_name: process.parent.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.parent.macho.imports_names_entropy: - dashed_name: process-parent-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.macho.imports_names_entropy - format: number + process.session_leader.parent.session_leader.saved_user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score level: extended - name: imports_names_entropy + name: static_score normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.macho.imports_names_var_entropy: - dashed_name: process-parent-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.macho.imports_names_var_entropy - format: number + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.session_leader.saved_user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm level: extended - name: imports_names_var_entropy + name: static_score_norm normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.macho.sections: - dashed_name: process-parent-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.parent.macho.sections + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.session_leader.saved_user.roles: + dashed_name: process-session-leader-parent-session-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.saved_user.roles + ignore_above: 1024 level: extended - name: sections + name: roles normalize: - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.parent.macho.sections.entropy: - dashed_name: process-parent-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.entropy - format: number + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.session_leader.start: + dashed_name: process-session-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.session_leader.start level: extended - name: sections.entropy + name: start normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.parent.macho.sections.name: - dashed_name: process-parent-macho-sections-name - description: Mach-O Section List name. - flat_name: process.parent.macho.sections.name + original_fieldset: process + short: The time the process started. + type: date + process.session_leader.parent.session_leader.supplemental_groups.domain: + dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain ignore_above: 1024 level: extended - name: sections.name + name: domain normalize: [] - original_fieldset: macho - short: Mach-O Section List name. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword - process.parent.macho.sections.physical_size: - dashed_name: process-parent-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.parent.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.parent.macho.sections.var_entropy: - dashed_name: process-parent-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.macho.sections.virtual_size: - dashed_name: process-parent-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.parent.macho.symhash: - dashed_name: process-parent-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.parent.macho.symhash + process.session_leader.parent.session_leader.supplemental_groups.id: + dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.session_leader.supplemental_groups.id ignore_above: 1024 level: extended - name: symhash + name: id normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.parent.name: - dashed_name: process-parent-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.parent.name + process.session_leader.parent.session_leader.supplemental_groups.name: + dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.session_leader.parent.session_leader.supplemental_groups.name ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.parent.name.text - name: text - type: match_only_text name: name normalize: [] - original_fieldset: process - short: Process name. + original_fieldset: group + short: Name of the group. type: keyword - process.parent.pe.architecture: - dashed_name: process-parent-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.parent.pe.architecture + process.session_leader.parent.session_leader.thread.capabilities.effective: + dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective ignore_above: 1024 level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none type: keyword - process.parent.pe.company: - dashed_name: process-parent-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.parent.pe.company + process.session_leader.parent.session_leader.thread.capabilities.permitted: + dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none type: keyword - process.parent.pe.description: - dashed_name: process-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.pe.description - ignore_above: 1024 + process.session_leader.parent.session_leader.thread.id: + dashed_name: process-session-leader-parent-session-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.session_leader.parent.session_leader.thread.id + format: string level: extended - name: description + name: thread.id normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.parent.pe.file_version: - dashed_name: process-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.pe.file_version + original_fieldset: process + short: Thread ID. + type: long + process.session_leader.parent.session_leader.thread.name: + dashed_name: process-session-leader-parent-session-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.session_leader.parent.session_leader.thread.name ignore_above: 1024 level: extended - name: file_version + name: thread.name normalize: [] - original_fieldset: pe - short: Process name. + original_fieldset: process + short: Thread name. type: keyword - process.parent.pe.go_import_hash: - dashed_name: process-parent-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. + process.session_leader.parent.session_leader.title: + dashed_name: process-session-leader-parent-session-leader-title + description: 'Process title. - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.pe.go_import_hash + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.session_leader.parent.session_leader.title ignore_above: 1024 level: extended - name: go_import_hash + multi_fields: + - flat_name: process.session_leader.parent.session_leader.title.text + name: text + type: match_only_text + name: title normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. + original_fieldset: process + short: Process title. type: keyword - process.parent.pe.go_imports: - dashed_name: process-parent-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.pe.go_imports + process.session_leader.parent.session_leader.tty: + dashed_name: process-session-leader-parent-session-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.session_leader.parent.session_leader.tty level: extended - name: go_imports + name: tty normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.parent.pe.go_imports_names_entropy: - dashed_name: process-parent-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_entropy - format: number + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.session_leader.parent.session_leader.tty.char_device.major: + dashed_name: process-session-leader-parent-session-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.session_leader.parent.session_leader.tty.char_device.major level: extended - name: go_imports_names_entropy + name: tty.char_device.major normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. + original_fieldset: process + short: The TTY character device's major number. type: long - process.parent.pe.go_imports_names_var_entropy: - dashed_name: process-parent-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_var_entropy - format: number + process.session_leader.parent.session_leader.tty.char_device.minor: + dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.session_leader.parent.session_leader.tty.char_device.minor level: extended - name: go_imports_names_var_entropy + name: tty.char_device.minor normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. + original_fieldset: process + short: The TTY character device's minor number. type: long - process.parent.pe.go_stripped: - dashed_name: process-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.pe.go_stripped + process.session_leader.parent.session_leader.tty.columns: + dashed_name: process-session-leader-parent-session-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.session_leader.parent.session_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.session_leader.parent.session_leader.tty.rows: + dashed_name: process-session-leader-parent-session-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.session_leader.parent.session_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.session_leader.parent.session_leader.uptime: + dashed_name: process-session-leader-parent-session-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.session_leader.parent.session_leader.uptime level: extended - name: go_stripped + name: uptime normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.pe.imphash: - dashed_name: process-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + original_fieldset: process + short: Seconds the process has been up. + type: long + process.session_leader.parent.session_leader.user.domain: + dashed_name: process-session-leader-parent-session-leader-user-domain + description: 'Name of the directory the user is a member of. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.pe.imphash + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.user.domain ignore_above: 1024 level: extended - name: imphash + name: domain normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: user + short: Name of the directory the user is a member of. type: keyword - process.parent.pe.import_hash: - dashed_name: process-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.pe.import_hash + process.session_leader.parent.session_leader.user.email: + dashed_name: process-session-leader-parent-session-leader-user-email + description: User email address. + flat_name: process.session_leader.parent.session_leader.user.email ignore_above: 1024 level: extended - name: import_hash + name: email normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: user + short: User email address. type: keyword - process.parent.pe.imports: - dashed_name: process-parent-pe-imports - description: List of imported element names and types. - flat_name: process.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.parent.pe.imports_names_entropy: - dashed_name: process-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.pe.imports_names_entropy - format: number + process.session_leader.parent.session_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.session_leader.user.entity.attributes level: extended - name: imports_names_entropy + name: attributes normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.pe.imports_names_var_entropy: - dashed_name: process-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.pe.imports_names_var_entropy - format: number + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.session_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.user.entity.behavior level: extended - name: imports_names_var_entropy + name: behavior normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.pe.original_file_name: - dashed_name: process-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.parent.pe.original_file_name + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.session_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.session_leader.user.entity.display_name ignore_above: 1024 level: extended - name: original_file_name + multi_fields: + - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. type: keyword - process.parent.pe.pehash: - dashed_name: process-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.parent.pe.pehash + process.session_leader.parent.session_leader.user.entity.id: + dashed_name: process-session-leader-parent-session-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.session_leader.user.entity.id ignore_above: 1024 - level: extended - name: pehash + level: core + name: id normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. + original_fieldset: entity + short: Unique identifier for the entity. type: keyword - process.parent.pe.product: - dashed_name: process-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.parent.pe.product - ignore_above: 1024 + process.session_leader.parent.session_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp level: extended - name: product + name: last_seen_timestamp normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.parent.pe.sections: - dashed_name: process-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.parent.pe.sections + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.session_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.parent.pe.sections.entropy: - dashed_name: process-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.entropy - format: number + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.session_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.session_leader.user.entity.metrics level: extended - name: sections.entropy + name: metrics normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.parent.pe.sections.name: - dashed_name: process-parent-pe-sections-name - description: PE Section List name. - flat_name: process.parent.pe.sections.name + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.session_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.session_leader.user.entity.name ignore_above: 1024 - level: extended - name: sections.name + level: core + multi_fields: + - flat_name: process.session_leader.parent.session_leader.user.entity.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: pe - short: PE Section List name. + original_fieldset: entity + short: The name of the entity. type: keyword - process.parent.pe.sections.physical_size: - dashed_name: process-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.parent.pe.sections.physical_size - format: bytes + process.session_leader.parent.session_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.session_leader.user.entity.raw level: extended - name: sections.physical_size + name: raw normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.parent.pe.sections.var_entropy: - dashed_name: process-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.var_entropy - format: number + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.session_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.session_leader.user.entity.reference + ignore_above: 1024 level: extended - name: sections.var_entropy + name: reference normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.pe.sections.virtual_size: - dashed_name: process-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.pe.sections.virtual_size - format: string + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.session_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.session_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.session_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.session_leader.user.entity.sub_type + ignore_above: 1024 level: extended - name: sections.virtual_size + name: sub_type normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.parent.pid: - dashed_name: process-parent-pid - description: Process id. - example: 4242 - flat_name: process.parent.pid - format: string + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.session_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-session-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.session_leader.user.entity.type + ignore_above: 1024 level: core - name: pid + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.session_leader.user.full_name: + dashed_name: process-session-leader-parent-session-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.session_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.session_leader.user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: process - short: Process id. - type: long - process.parent.real_group.id: - dashed_name: process-parent-real-group-id + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.session_leader.user.group.domain: + dashed_name: process-session-leader-parent-session-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.session_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.session_leader.user.group.id: + dashed_name: process-session-leader-parent-session-leader-user-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.parent.real_group.id + flat_name: process.session_leader.parent.session_leader.user.group.id ignore_above: 1024 level: extended name: id @@ -16026,10 +59667,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.parent.real_group.name: - dashed_name: process-parent-real-group-name + process.session_leader.parent.session_leader.user.group.name: + dashed_name: process-session-leader-parent-session-leader-user-group-name description: Name of the group. - flat_name: process.parent.real_group.name + flat_name: process.session_leader.parent.session_leader.user.group.name ignore_above: 1024 level: extended name: name @@ -16037,11 +59678,26 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.parent.real_user.id: - dashed_name: process-parent-real-user-id + process.session_leader.parent.session_leader.user.hash: + dashed_name: process-session-leader-parent-session-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.session_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.session_leader.user.id: + dashed_name: process-session-leader-parent-session-leader-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.real_user.id + flat_name: process.session_leader.parent.session_leader.user.id ignore_above: 1024 level: core name: id @@ -16049,15 +59705,15 @@ process: original_fieldset: user short: Unique identifier of the user. type: keyword - process.parent.real_user.name: - dashed_name: process-parent-real-user-name + process.session_leader.parent.session_leader.user.name: + dashed_name: process-session-leader-parent-session-leader-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.parent.real_user.name + flat_name: process.session_leader.parent.session_leader.user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.parent.real_user.name.text + - flat_name: process.session_leader.parent.session_leader.user.name.text name: text type: match_only_text name: name @@ -16065,71 +59721,160 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.parent.saved_group.id: - dashed_name: process-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.saved_group.id + process.session_leader.parent.session_leader.user.risk.calculated_level: + dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level ignore_above: 1024 level: extended - name: id + name: calculated_level normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. type: keyword - process.parent.saved_group.name: - dashed_name: process-parent-saved-group-name - description: Name of the group. - flat_name: process.parent.saved_group.name + process.session_leader.parent.session_leader.user.risk.calculated_score: + dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.session_leader.user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.session_leader.user.risk.static_level: + dashed_name: process-session-leader-parent-session-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.session_leader.user.risk.static_level ignore_above: 1024 level: extended - name: name + name: static_level normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. type: keyword - process.parent.saved_user.id: - dashed_name: process-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.saved_user.id - ignore_above: 1024 - level: core - name: id + process.session_leader.parent.session_leader.user.risk.static_score: + dashed_name: process-session-leader-parent-session-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.session_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.session_leader.user.risk.static_score_norm: + dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm + level: extended + name: static_score_norm normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.session_leader.user.roles: + dashed_name: process-session-leader-parent-session-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.session_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array original_fieldset: user - short: Unique identifier of the user. + short: Array of user roles at the time of the event. + synthetic_source_keep: none type: keyword - process.parent.saved_user.name: - dashed_name: process-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.saved_user.name + process.session_leader.parent.session_leader.vpid: + dashed_name: process-session-leader-parent-session-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.session_leader.parent.session_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.session_leader.parent.session_leader.working_directory: + dashed_name: process-session-leader-parent-session-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.session_leader.parent.session_leader.working_directory ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.parent.saved_user.name.text + - flat_name: process.session_leader.parent.session_leader.working_directory.text name: text type: match_only_text - name: name + name: working_directory normalize: [] - original_fieldset: user - short: Short name or login of the user. + original_fieldset: process + short: The working directory of the process. type: keyword - process.parent.start: - dashed_name: process-parent-start + process.session_leader.parent.start: + dashed_name: process-session-leader-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.start + flat_name: process.session_leader.parent.start level: extended name: start normalize: [] original_fieldset: process short: The time the process started. type: date - process.parent.supplemental_groups.id: - dashed_name: process-parent-supplemental-groups-id + process.session_leader.parent.supplemental_groups.domain: + dashed_name: process-session-leader-parent-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.supplemental_groups.id: + dashed_name: process-session-leader-parent-supplemental-groups-id description: Unique identifier for the group on the system/platform. - flat_name: process.parent.supplemental_groups.id + flat_name: process.session_leader.parent.supplemental_groups.id ignore_above: 1024 level: extended name: id @@ -16137,10 +59882,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.parent.supplemental_groups.name: - dashed_name: process-parent-supplemental-groups-name + process.session_leader.parent.supplemental_groups.name: + dashed_name: process-session-leader-parent-supplemental-groups-name description: Name of the group. - flat_name: process.parent.supplemental_groups.name + flat_name: process.session_leader.parent.supplemental_groups.name ignore_above: 1024 level: extended name: name @@ -16148,12 +59893,12 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.parent.thread.capabilities.effective: - dashed_name: process-parent-thread-capabilities-effective + process.session_leader.parent.thread.capabilities.effective: + dashed_name: process-session-leader-parent-thread-capabilities-effective description: This is the set of capabilities used by the kernel to perform permission checks for the thread. example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.effective + flat_name: process.session_leader.parent.thread.capabilities.effective ignore_above: 1024 level: extended name: thread.capabilities.effective @@ -16164,12 +59909,12 @@ process: short: Array of capabilities used for permission checks. synthetic_source_keep: none type: keyword - process.parent.thread.capabilities.permitted: - dashed_name: process-parent-thread-capabilities-permitted + process.session_leader.parent.thread.capabilities.permitted: + dashed_name: process-session-leader-parent-thread-capabilities-permitted description: This is a limiting superset for the effective capabilities that the thread may assume. example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.permitted + flat_name: process.session_leader.parent.thread.capabilities.permitted ignore_above: 1024 level: extended name: thread.capabilities.permitted @@ -16180,11 +59925,11 @@ process: short: Array of capabilities a thread could assume. synthetic_source_keep: none type: keyword - process.parent.thread.id: - dashed_name: process-parent-thread-id + process.session_leader.parent.thread.id: + dashed_name: process-session-leader-parent-thread-id description: Thread ID. example: 4242 - flat_name: process.parent.thread.id + flat_name: process.session_leader.parent.thread.id format: string level: extended name: thread.id @@ -16192,11 +59937,11 @@ process: original_fieldset: process short: Thread ID. type: long - process.parent.thread.name: - dashed_name: process-parent-thread-name + process.session_leader.parent.thread.name: + dashed_name: process-session-leader-parent-thread-name description: Thread name. example: thread-0 - flat_name: process.parent.thread.name + flat_name: process.session_leader.parent.thread.name ignore_above: 1024 level: extended name: thread.name @@ -16204,17 +59949,17 @@ process: original_fieldset: process short: Thread name. type: keyword - process.parent.title: - dashed_name: process-parent-title + process.session_leader.parent.title: + dashed_name: process-session-leader-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - flat_name: process.parent.title + flat_name: process.session_leader.parent.title ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.title.text + - flat_name: process.session_leader.parent.title.text name: text type: match_only_text name: title @@ -16222,61 +59967,441 @@ process: original_fieldset: process short: Process title. type: keyword - process.parent.tty: - dashed_name: process-parent-tty + process.session_leader.parent.tty: + dashed_name: process-session-leader-parent-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. - flat_name: process.parent.tty + flat_name: process.session_leader.parent.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object - process.parent.tty.char_device.major: - dashed_name: process-parent-tty-char-device-major + process.session_leader.parent.tty.char_device.major: + dashed_name: process-session-leader-parent-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 - flat_name: process.parent.tty.char_device.major + flat_name: process.session_leader.parent.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long - process.parent.tty.char_device.minor: - dashed_name: process-parent-tty-char-device-minor + process.session_leader.parent.tty.char_device.minor: + dashed_name: process-session-leader-parent-tty-char-device-minor description: The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. example: 1 - flat_name: process.parent.tty.char_device.minor + flat_name: process.session_leader.parent.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long - process.parent.uptime: - dashed_name: process-parent-uptime + process.session_leader.parent.tty.columns: + dashed_name: process-session-leader-parent-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.session_leader.parent.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.session_leader.parent.tty.rows: + dashed_name: process-session-leader-parent-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.session_leader.parent.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.session_leader.parent.uptime: + dashed_name: process-session-leader-parent-uptime description: Seconds the process has been up. example: 1325 - flat_name: process.parent.uptime + flat_name: process.session_leader.parent.uptime level: extended name: uptime normalize: [] original_fieldset: process short: Seconds the process has been up. type: long - process.parent.user.id: - dashed_name: process-parent-user-id + process.session_leader.parent.user.domain: + dashed_name: process-session-leader-parent-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.parent.user.email: + dashed_name: process-session-leader-parent-user-email + description: User email address. + flat_name: process.session_leader.parent.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.parent.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.parent.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.parent.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.parent.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.parent.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.parent.user.entity.id: + dashed_name: process-session-leader-parent-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.parent.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.parent.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.parent.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.parent.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.parent.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.parent.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.parent.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.parent.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.parent.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.parent.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.parent.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.parent.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.parent.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.parent.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.parent.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.parent.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.parent.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.parent.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.parent.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-parent-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.parent.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.parent.user.full_name: + dashed_name: process-session-leader-parent-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.parent.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.parent.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.parent.user.group.domain: + dashed_name: process-session-leader-parent-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.parent.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.parent.user.group.id: + dashed_name: process-session-leader-parent-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.parent.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.parent.user.group.name: + dashed_name: process-session-leader-parent-user-group-name + description: Name of the group. + flat_name: process.session_leader.parent.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.parent.user.hash: + dashed_name: process-session-leader-parent-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.parent.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + process.session_leader.parent.user.id: + dashed_name: process-session-leader-parent-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.user.id + flat_name: process.session_leader.parent.user.id ignore_above: 1024 level: core name: id @@ -16284,15 +60409,15 @@ process: original_fieldset: user short: Unique identifier of the user. type: keyword - process.parent.user.name: - dashed_name: process-parent-user-name + process.session_leader.parent.user.name: + dashed_name: process-session-leader-parent-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.parent.user.name + flat_name: process.session_leader.parent.user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.parent.user.name.text + - flat_name: process.session_leader.parent.user.name.text name: text type: match_only_text name: name @@ -16300,15 +60425,109 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.parent.vpid: - dashed_name: process-parent-vpid + process.session_leader.parent.user.risk.calculated_level: + dashed_name: process-session-leader-parent-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.parent.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.parent.user.risk.calculated_score: + dashed_name: process-session-leader-parent-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.parent.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.parent.user.risk.calculated_score_norm: + dashed_name: process-session-leader-parent-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.parent.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.parent.user.risk.static_level: + dashed_name: process-session-leader-parent-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.parent.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.parent.user.risk.static_score: + dashed_name: process-session-leader-parent-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.parent.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.parent.user.risk.static_score_norm: + dashed_name: process-session-leader-parent-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.parent.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.parent.user.roles: + dashed_name: process-session-leader-parent-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.parent.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword + process.session_leader.parent.vpid: + dashed_name: process-session-leader-parent-vpid description: 'Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.' example: 4242 - flat_name: process.parent.vpid + flat_name: process.session_leader.parent.vpid format: string level: core name: vpid @@ -16316,15 +60535,15 @@ process: original_fieldset: process short: Virtual process id. type: long - process.parent.working_directory: - dashed_name: process-parent-working-directory + process.session_leader.parent.working_directory: + dashed_name: process-session-leader-parent-working-directory description: The working directory of the process. example: /home/alice - flat_name: process.parent.working_directory + flat_name: process.session_leader.parent.working_directory ignore_above: 1024 level: extended multi_fields: - - flat_name: process.parent.working_directory.text + - flat_name: process.session_leader.parent.working_directory.text name: text type: match_only_text name: working_directory @@ -16332,11 +60551,11 @@ process: original_fieldset: process short: The working directory of the process. type: keyword - process.pe.architecture: - dashed_name: process-pe-architecture + process.session_leader.pe.architecture: + dashed_name: process-session-leader-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: process.pe.architecture + flat_name: process.session_leader.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -16344,11 +60563,11 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword - process.pe.company: - dashed_name: process-pe-company + process.session_leader.pe.company: + dashed_name: process-session-leader-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: process.pe.company + flat_name: process.session_leader.pe.company ignore_above: 1024 level: extended name: company @@ -16356,11 +60575,11 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - process.pe.description: - dashed_name: process-pe-description + process.session_leader.pe.description: + dashed_name: process-session-leader-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: process.pe.description + flat_name: process.session_leader.pe.description ignore_above: 1024 level: extended name: description @@ -16368,11 +60587,11 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - process.pe.file_version: - dashed_name: process-pe-file-version + process.session_leader.pe.file_version: + dashed_name: process-session-leader-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: process.pe.file_version + flat_name: process.session_leader.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -16380,8 +60599,8 @@ process: original_fieldset: pe short: Process name. type: keyword - process.pe.go_import_hash: - dashed_name: process-pe-go-import-hash + process.session_leader.pe.go_import_hash: + dashed_name: process-session-leader-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -16390,7 +60609,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.pe.go_import_hash + flat_name: process.session_leader.pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -16398,20 +60617,20 @@ process: original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword - process.pe.go_imports: - dashed_name: process-pe-go-imports + process.session_leader.pe.go_imports: + dashed_name: process-session-leader-pe-go-imports description: List of imported Go language element names and types. - flat_name: process.pe.go_imports + flat_name: process.session_leader.pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened - process.pe.go_imports_names_entropy: - dashed_name: process-pe-go-imports-names-entropy + process.session_leader.pe.go_imports_names_entropy: + dashed_name: process-session-leader-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_entropy + flat_name: process.session_leader.pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -16419,10 +60638,10 @@ process: original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long - process.pe.go_imports_names_var_entropy: - dashed_name: process-pe-go-imports-names-var-entropy + process.session_leader.pe.go_imports_names_var_entropy: + dashed_name: process-session-leader-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_var_entropy + flat_name: process.session_leader.pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -16430,26 +60649,26 @@ process: original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.pe.go_stripped: - dashed_name: process-pe-go-stripped + process.session_leader.pe.go_stripped: + dashed_name: process-session-leader-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.pe.go_stripped + flat_name: process.session_leader.pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.pe.imphash: - dashed_name: process-pe-imphash + process.session_leader.pe.imphash: + dashed_name: process-session-leader-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.pe.imphash + flat_name: process.session_leader.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -16457,15 +60676,15 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.pe.import_hash: - dashed_name: process-pe-import-hash + process.session_leader.pe.import_hash: + dashed_name: process-session-leader-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.pe.import_hash + flat_name: process.session_leader.pe.import_hash ignore_above: 1024 level: extended name: import_hash @@ -16473,10 +60692,10 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.pe.imports: - dashed_name: process-pe-imports + process.session_leader.pe.imports: + dashed_name: process-session-leader-pe-imports description: List of imported element names and types. - flat_name: process.pe.imports + flat_name: process.session_leader.pe.imports level: extended name: imports normalize: @@ -16484,11 +60703,11 @@ process: original_fieldset: pe short: List of imported element names and types. type: flattened - process.pe.imports_names_entropy: - dashed_name: process-pe-imports-names-entropy + process.session_leader.pe.imports_names_entropy: + dashed_name: process-session-leader-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.pe.imports_names_entropy + flat_name: process.session_leader.pe.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -16497,11 +60716,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.pe.imports_names_var_entropy: - dashed_name: process-pe-imports-names-var-entropy + process.session_leader.pe.imports_names_var_entropy: + dashed_name: process-session-leader-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.pe.imports_names_var_entropy + flat_name: process.session_leader.pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -16510,11 +60729,11 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.pe.original_file_name: - dashed_name: process-pe-original-file-name + process.session_leader.pe.original_file_name: + dashed_name: process-session-leader-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: process.pe.original_file_name + flat_name: process.session_leader.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name @@ -16522,15 +60741,15 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - process.pe.pehash: - dashed_name: process-pe-pehash + process.session_leader.pe.pehash: + dashed_name: process-session-leader-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.pe.pehash + flat_name: process.session_leader.pe.pehash ignore_above: 1024 level: extended name: pehash @@ -16538,11 +60757,11 @@ process: original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword - process.pe.product: - dashed_name: process-pe-product + process.session_leader.pe.product: + dashed_name: process-session-leader-pe-product description: Internal product name of the file, provided at compile-time. example: Microsoft® Windows® Operating System - flat_name: process.pe.product + flat_name: process.session_leader.pe.product ignore_above: 1024 level: extended name: product @@ -16550,13 +60769,13 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - process.pe.sections: - dashed_name: process-pe-sections + process.session_leader.pe.sections: + dashed_name: process-session-leader-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' - flat_name: process.pe.sections + flat_name: process.session_leader.pe.sections level: extended name: sections normalize: @@ -16564,10 +60783,10 @@ process: original_fieldset: pe short: Section information of the PE file. type: nested - process.pe.sections.entropy: - dashed_name: process-pe-sections-entropy + process.session_leader.pe.sections.entropy: + dashed_name: process-session-leader-pe-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.pe.sections.entropy + flat_name: process.session_leader.pe.sections.entropy format: number level: extended name: sections.entropy @@ -16575,10 +60794,10 @@ process: original_fieldset: pe short: Shannon entropy calculation from the section. type: long - process.pe.sections.name: - dashed_name: process-pe-sections-name + process.session_leader.pe.sections.name: + dashed_name: process-session-leader-pe-sections-name description: PE Section List name. - flat_name: process.pe.sections.name + flat_name: process.session_leader.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -16586,10 +60805,10 @@ process: original_fieldset: pe short: PE Section List name. type: keyword - process.pe.sections.physical_size: - dashed_name: process-pe-sections-physical-size + process.session_leader.pe.sections.physical_size: + dashed_name: process-session-leader-pe-sections-physical-size description: PE Section List physical size. - flat_name: process.pe.sections.physical_size + flat_name: process.session_leader.pe.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -16597,10 +60816,10 @@ process: original_fieldset: pe short: PE Section List physical size. type: long - process.pe.sections.var_entropy: - dashed_name: process-pe-sections-var-entropy + process.session_leader.pe.sections.var_entropy: + dashed_name: process-session-leader-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.pe.sections.var_entropy + flat_name: process.session_leader.pe.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -16608,10 +60827,10 @@ process: original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long - process.pe.sections.virtual_size: - dashed_name: process-pe-sections-virtual-size + process.session_leader.pe.sections.virtual_size: + dashed_name: process-session-leader-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.pe.sections.virtual_size + flat_name: process.session_leader.pe.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -16619,71 +60838,50 @@ process: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long - process.pid: - dashed_name: process-pid + process.session_leader.pid: + dashed_name: process-session-leader-pid description: Process id. example: 4242 - flat_name: process.pid + flat_name: process.session_leader.pid format: string level: core name: pid normalize: [] + original_fieldset: process otel: - relation: match - stability: development short: Process id. type: long - process.previous.args: - dashed_name: process-previous-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.previous.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.previous.args_count: - dashed_name: process-previous-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.previous.args_count + process.session_leader.platform_binary: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-platform-binary + description: Binaries that are shipped by the operating system are defined as + platform binaries, this value is then set to true. + flat_name: process.session_leader.platform_binary level: extended - name: args_count + name: platform_binary normalize: [] original_fieldset: process - short: Length of the process.args array. - type: long - process.previous.executable: - dashed_name: process-previous-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.previous.executable + short: Indicates whether this process executable is a default platform binary + shipped with the operating system. + type: boolean + process.session_leader.real_group.domain: + dashed_name: process-session-leader-real-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.real_group.domain ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.previous.executable.text - name: text - type: match_only_text - name: executable + name: domain normalize: [] - original_fieldset: process - short: Absolute path to the process executable. + original_fieldset: group + short: Name of the directory the group is a member of. type: keyword - process.real_group.id: - dashed_name: process-real-group-id + process.session_leader.real_group.id: + dashed_name: process-session-leader-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.real_group.id + flat_name: process.session_leader.real_group.id ignore_above: 1024 level: extended name: id @@ -16691,10 +60889,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.real_group.name: - dashed_name: process-real-group-name + process.session_leader.real_group.name: + dashed_name: process-session-leader-real-group-name description: Name of the group. - flat_name: process.real_group.name + flat_name: process.session_leader.real_group.name ignore_above: 1024 level: extended name: name @@ -16702,379 +60900,325 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.real_user.id: - dashed_name: process-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.real_user.id + process.session_leader.real_user.domain: + dashed_name: process-session-leader-real-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.real_user.domain ignore_above: 1024 - level: core - name: id + level: extended + name: domain normalize: [] original_fieldset: user - otel: - - relation: match - stability: development - short: Unique identifier of the user. + short: Name of the directory the user is a member of. type: keyword - process.real_user.name: - dashed_name: process-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.real_user.name + process.session_leader.real_user.email: + dashed_name: process-session-leader-real-user-email + description: User email address. + flat_name: process.session_leader.real_user.email ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.real_user.name.text - name: text - type: match_only_text - name: name + level: extended + name: email normalize: [] original_fieldset: user - otel: - - relation: match - stability: development - short: Short name or login of the user. + short: User email address. type: keyword - process.saved_group.id: - dashed_name: process-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.saved_group.id - ignore_above: 1024 + process.session_leader.real_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.real_user.entity.attributes level: extended - name: id + name: attributes normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.saved_group.name: - dashed_name: process-saved-group-name - description: Name of the group. - flat_name: process.saved_group.name - ignore_above: 1024 + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.real_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.real_user.entity.behavior level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.saved_user.id: - dashed_name: process-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.saved_user.id - ignore_above: 1024 - level: core - name: id + name: behavior normalize: [] - original_fieldset: user - otel: - - relation: match - stability: development - short: Unique identifier of the user. - type: keyword - process.saved_user.name: - dashed_name: process-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.saved_user.name + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.real_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.real_user.entity.display_name ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.saved_user.name.text + - flat_name: process.session_leader.real_user.entity.display_name.text name: text type: match_only_text - name: name + name: display_name normalize: [] - original_fieldset: user - otel: - - relation: match - stability: development - short: Short name or login of the user. + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. type: keyword - process.session_leader.args: - dashed_name: process-session-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.args + process.session_leader.real_user.entity.id: + dashed_name: process-session-leader-real-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.real_user.entity.id ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. type: keyword - process.session_leader.args_count: - dashed_name: process-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.session_leader.args_count + process.session_leader.real_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.real_user.entity.last_seen_timestamp level: extended - name: args_count + name: last_seen_timestamp normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.session_leader.command_line: - dashed_name: process-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.command_line + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.real_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.real_user.entity.lifecycle level: extended - multi_fields: - - flat_name: process.session_leader.command_line.text - name: text - type: match_only_text - name: command_line + name: lifecycle normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.session_leader.entity_id: - dashed_name: process-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.entity_id - ignore_above: 1024 + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.real_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.real_user.entity.metrics level: extended - name: entity_id + name: metrics normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.session_leader.executable: - dashed_name: process-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.executable + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.real_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.real_user.entity.name ignore_above: 1024 - level: extended + level: core multi_fields: - - flat_name: process.session_leader.executable.text + - flat_name: process.session_leader.real_user.entity.name.text name: text type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.session_leader.group.id: - dashed_name: process-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.group.name: - dashed_name: process-session-leader-group-name - description: Name of the group. - flat_name: process.session_leader.group.name - ignore_above: 1024 - level: extended name: name normalize: [] - original_fieldset: group - short: Name of the group. + original_fieldset: entity + short: The name of the entity. type: keyword - process.session_leader.interactive: - dashed_name: process-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.session_leader.interactive + process.session_leader.real_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.real_user.entity.raw level: extended - name: interactive + name: raw normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.session_leader.name: - dashed_name: process-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.name + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.real_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.real_user.entity.reference ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.session_leader.name.text - name: text - type: match_only_text - name: name + name: reference normalize: [] - original_fieldset: process - short: Process name. + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. type: keyword - process.session_leader.parent.entity_id: - dashed_name: process-session-leader-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.entity_id + process.session_leader.real_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.real_user.entity.source ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.session_leader.parent.pid: - dashed_name: process-session-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.pid - format: string level: core - name: pid + name: source normalize: [] - original_fieldset: process - short: Process id. - type: long - process.session_leader.parent.session_leader.entity_id: - dashed_name: process-session-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.session_leader.entity_id + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.real_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.real_user.entity.sub_type ignore_above: 1024 level: extended - name: entity_id + name: sub_type normalize: [] - original_fieldset: process - short: Unique identifier for the process. + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. type: keyword - process.session_leader.parent.session_leader.pid: - dashed_name: process-session-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.session_leader.parent.session_leader.start: - dashed_name: process-session-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.session_leader.parent.session_leader.vpid: - dashed_name: process-session-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.session_leader.parent.session_leader.vpid - format: string + process.session_leader.real_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-real-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.real_user.entity.type + ignore_above: 1024 level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.session_leader.parent.start: - dashed_name: process-session-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.start + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.real_user.full_name: + dashed_name: process-session-leader-real-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.real_user.full_name + ignore_above: 1024 level: extended - name: start + multi_fields: + - flat_name: process.session_leader.real_user.full_name.text + name: text + type: match_only_text + name: full_name normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.session_leader.parent.vpid: - dashed_name: process-session-leader-parent-vpid - description: 'Virtual process id. + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.real_user.group.domain: + dashed_name: process-session-leader-real-user-group-domain + description: 'Name of the directory the group is a member of. - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.session_leader.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.session_leader.pid: - dashed_name: process-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.pid - format: string - level: core - name: pid + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.real_user.group.domain + ignore_above: 1024 + level: extended + name: domain normalize: [] - original_fieldset: process - otel: - - relation: match - stability: development - short: Process id. - type: long - process.session_leader.real_group.id: - dashed_name: process-session-leader-real-group-id + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.real_user.group.id: + dashed_name: process-session-leader-real-user-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.real_group.id + flat_name: process.session_leader.real_user.group.id ignore_above: 1024 level: extended name: id @@ -17082,10 +61226,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.session_leader.real_group.name: - dashed_name: process-session-leader-real-group-name + process.session_leader.real_user.group.name: + dashed_name: process-session-leader-real-user-group-name description: Name of the group. - flat_name: process.session_leader.real_group.name + flat_name: process.session_leader.real_user.group.name ignore_above: 1024 level: extended name: name @@ -17093,6 +61237,21 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.session_leader.real_user.hash: + dashed_name: process-session-leader-real-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.real_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.session_leader.real_user.id: dashed_name: process-session-leader-real-user-id description: Unique identifier of the user. @@ -17121,6 +61280,100 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword + process.session_leader.real_user.risk.calculated_level: + dashed_name: process-session-leader-real-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.real_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.real_user.risk.calculated_score: + dashed_name: process-session-leader-real-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.real_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.real_user.risk.calculated_score_norm: + dashed_name: process-session-leader-real-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.real_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.real_user.risk.static_level: + dashed_name: process-session-leader-real-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.real_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.real_user.risk.static_score: + dashed_name: process-session-leader-real-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.real_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.real_user.risk.static_score_norm: + dashed_name: process-session-leader-real-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.real_user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.real_user.roles: + dashed_name: process-session-leader-real-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.real_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.session_leader.same_as_process: dashed_name: process-session-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same @@ -17151,6 +61404,19 @@ process: short: This boolean is used to identify if a leader process is the same as the top level process. type: boolean + process.session_leader.saved_group.domain: + dashed_name: process-session-leader-saved-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.saved_group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword process.session_leader.saved_group.id: dashed_name: process-session-leader-saved-group-id description: Unique identifier for the group on the system/platform. @@ -17173,33 +61439,479 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.session_leader.saved_user.domain: + dashed_name: process-session-leader-saved-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.saved_user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.saved_user.email: + dashed_name: process-session-leader-saved-user-email + description: User email address. + flat_name: process.session_leader.saved_user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.saved_user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.saved_user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.saved_user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.saved_user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.saved_user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.saved_user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.saved_user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.saved_user.entity.id: + dashed_name: process-session-leader-saved-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.saved_user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.saved_user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.saved_user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.saved_user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.saved_user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.saved_user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.saved_user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.saved_user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.saved_user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.saved_user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.saved_user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.saved_user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.saved_user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.saved_user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.saved_user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.saved_user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.saved_user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.saved_user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.saved_user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-saved-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.saved_user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.saved_user.full_name: + dashed_name: process-session-leader-saved-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.saved_user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.saved_user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.saved_user.group.domain: + dashed_name: process-session-leader-saved-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.saved_user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.saved_user.group.id: + dashed_name: process-session-leader-saved-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.saved_user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.saved_user.group.name: + dashed_name: process-session-leader-saved-user-group-name + description: Name of the group. + flat_name: process.session_leader.saved_user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.saved_user.hash: + dashed_name: process-session-leader-saved-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.saved_user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.session_leader.saved_user.id: dashed_name: process-session-leader-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 flat_name: process.session_leader.saved_user.id ignore_above: 1024 - level: core - name: id + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.session_leader.saved_user.name: + dashed_name: process-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.session_leader.saved_user.risk.calculated_level: + dashed_name: process-session-leader-saved-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.saved_user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.saved_user.risk.calculated_score: + dashed_name: process-session-leader-saved-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.saved_user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.saved_user.risk.calculated_score_norm: + dashed_name: process-session-leader-saved-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.saved_user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.saved_user.risk.static_level: + dashed_name: process-session-leader-saved-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.saved_user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level normalize: [] - original_fieldset: user - short: Unique identifier of the user. + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. type: keyword - process.session_leader.saved_user.name: - dashed_name: process-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name + process.session_leader.saved_user.risk.static_score: + dashed_name: process-session-leader-saved-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.saved_user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.saved_user.risk.static_score_norm: + dashed_name: process-session-leader-saved-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.saved_user.risk.static_score_norm + level: extended + name: static_score_norm normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.saved_user.roles: + dashed_name: process-session-leader-saved-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.saved_user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array original_fieldset: user - short: Short name or login of the user. + short: Array of user roles at the time of the event. + synthetic_source_keep: none type: keyword process.session_leader.start: dashed_name: process-session-leader-start @@ -17212,6 +61924,19 @@ process: original_fieldset: process short: The time the process started. type: date + process.session_leader.supplemental_groups.domain: + dashed_name: process-session-leader-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword process.session_leader.supplemental_groups.id: dashed_name: process-session-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -17234,6 +61959,80 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.session_leader.thread.capabilities.effective: + dashed_name: process-session-leader-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none + type: keyword + process.session_leader.thread.capabilities.permitted: + dashed_name: process-session-leader-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.session_leader.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.session_leader.thread.id: + dashed_name: process-session-leader-thread-id + description: Thread ID. + example: 4242 + flat_name: process.session_leader.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.session_leader.thread.name: + dashed_name: process-session-leader-thread-name + description: Thread name. + example: thread-0 + flat_name: process.session_leader.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.session_leader.title: + dashed_name: process-session-leader-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.session_leader.title + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.title.text + name: text + type: match_only_text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: keyword process.session_leader.tty: dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process @@ -17273,6 +62072,397 @@ process: original_fieldset: process short: The TTY character device's minor number. type: long + process.session_leader.tty.columns: + dashed_name: process-session-leader-tty-columns + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + flat_name: process.session_leader.tty.columns + level: extended + name: tty.columns + normalize: [] + original_fieldset: process + short: The number of character columns per line. e.g terminal width + type: long + process.session_leader.tty.rows: + dashed_name: process-session-leader-tty-rows + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + flat_name: process.session_leader.tty.rows + level: extended + name: tty.rows + normalize: [] + original_fieldset: process + short: The number of character rows in the terminal. e.g terminal height + type: long + process.session_leader.uptime: + dashed_name: process-session-leader-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.session_leader.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.session_leader.user.domain: + dashed_name: process-session-leader-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.session_leader.user.email: + dashed_name: process-session-leader-user-email + description: User email address. + flat_name: process.session_leader.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.session_leader.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.session_leader.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.session_leader.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.session_leader.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.session_leader.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.session_leader.user.entity.id: + dashed_name: process-session-leader-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.session_leader.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.session_leader.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.session_leader.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.session_leader.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.session_leader.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.session_leader.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.session_leader.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.session_leader.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.session_leader.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.session_leader.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.session_leader.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.session_leader.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.session_leader.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.session_leader.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.session_leader.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.session_leader.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.session_leader.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.session_leader.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-session-leader-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.session_leader.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.session_leader.user.full_name: + dashed_name: process-session-leader-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.session_leader.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.session_leader.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.session_leader.user.group.domain: + dashed_name: process-session-leader-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.session_leader.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.session_leader.user.group.id: + dashed_name: process-session-leader-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.session_leader.user.group.name: + dashed_name: process-session-leader-user-group-name + description: Name of the group. + flat_name: process.session_leader.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.user.hash: + dashed_name: process-session-leader-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.session_leader.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.session_leader.user.id: dashed_name: process-session-leader-user-id description: Unique identifier of the user. @@ -17301,6 +62491,100 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword + process.session_leader.user.risk.calculated_level: + dashed_name: process-session-leader-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.session_leader.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.session_leader.user.risk.calculated_score: + dashed_name: process-session-leader-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.session_leader.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.session_leader.user.risk.calculated_score_norm: + dashed_name: process-session-leader-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.session_leader.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.session_leader.user.risk.static_level: + dashed_name: process-session-leader-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.session_leader.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.session_leader.user.risk.static_score: + dashed_name: process-session-leader-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.session_leader.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.session_leader.user.risk.static_score_norm: + dashed_name: process-session-leader-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.session_leader.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.session_leader.user.roles: + dashed_name: process-session-leader-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.session_leader.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.session_leader.vpid: dashed_name: process-session-leader-vpid description: 'Virtual process id. @@ -17343,6 +62627,19 @@ process: normalize: [] short: The time the process started. type: date + process.supplemental_groups.domain: + dashed_name: process-supplemental-groups-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.supplemental_groups.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword process.supplemental_groups.id: dashed_name: process-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -17434,7 +62731,6 @@ process: normalize: [] otel: - relation: match - stability: development short: Process title. type: keyword process.tty: @@ -17510,9 +62806,360 @@ process: otel: - metric: process.uptime relation: metric - stability: development short: Seconds the process has been up. type: long + process.user.domain: + dashed_name: process-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + process.user.email: + dashed_name: process-user-email + description: User email address. + flat_name: process.user.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + process.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: process.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + process.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: process.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + process.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: process.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + process.user.entity.id: + dashed_name: process-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: process.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + process.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: process.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + process.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: process.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + process.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: process.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + process.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: process.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + process.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: process.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + process.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: process.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + process.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: process.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + process.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: process-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: process.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + process.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: process-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: process.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword + process.user.full_name: + dashed_name: process-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: process.user.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.user.full_name.text + name: text + type: match_only_text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + process.user.group.domain: + dashed_name: process-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: process.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + process.user.group.id: + dashed_name: process-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.user.group.name: + dashed_name: process-user-group-name + description: Name of the group. + flat_name: process.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + process.user.hash: + dashed_name: process-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: process.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword process.user.id: dashed_name: process-user-id description: Unique identifier of the user. @@ -17525,7 +63172,6 @@ process: original_fieldset: user otel: - relation: match - stability: development short: Unique identifier of the user. type: keyword process.user.name: @@ -17544,9 +63190,102 @@ process: original_fieldset: user otel: - relation: match - stability: development short: Short name or login of the user. type: keyword + process.user.risk.calculated_level: + dashed_name: process-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: process.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + process.user.risk.calculated_score: + dashed_name: process-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: process.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + process.user.risk.calculated_score_norm: + dashed_name: process-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: process.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + process.user.risk.static_level: + dashed_name: process-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: process.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + process.user.risk.static_score: + dashed_name: process-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: process.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + process.user.risk.static_score_norm: + dashed_name: process-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: process.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float + process.user.roles: + dashed_name: process-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: process.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + synthetic_source_keep: none + type: keyword process.vpid: dashed_name: process-vpid description: 'Virtual process id. @@ -17562,7 +63301,6 @@ process: normalize: [] otel: - relation: match - stability: development short: Virtual process id. type: long process.working_directory: @@ -17580,7 +63318,6 @@ process: normalize: [] otel: - relation: match - stability: development short: The working directory of the process. type: keyword group: 2 @@ -18224,7 +63961,6 @@ server: normalize: [] otel: - relation: match - stability: stable short: Server network address. type: keyword server.as.number: @@ -18492,7 +64228,6 @@ server: normalize: [] otel: - relation: match - stability: stable short: Port of the server. type: long server.registered_domain: @@ -18571,6 +64306,268 @@ server: original_fieldset: user short: User email address. type: keyword + server.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: server.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + server.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: server.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + server.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: server.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: server.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + server.user.entity.id: + dashed_name: server-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: server.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + server.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: server.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + server.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: server.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + server.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: server.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + server.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: server.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: server.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + server.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: server.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + server.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: server.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + server.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: server.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + server.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: server-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: server.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + server.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: server-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: server.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword server.user.full_name: dashed_name: server-user-full-name description: User's full name, if available. @@ -18665,6 +64662,86 @@ server: original_fieldset: user short: Short name or login of the user. type: keyword + server.user.risk.calculated_level: + dashed_name: server-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: server.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + server.user.risk.calculated_score: + dashed_name: server-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: server.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + server.user.risk.calculated_score_norm: + dashed_name: server-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: server.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + server.user.risk.static_level: + dashed_name: server-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: server.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + server.user.risk.static_score: + dashed_name: server-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: server.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + server.user.risk.static_score_norm: + dashed_name: server-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: server.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -18956,12 +65033,21 @@ service: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -18989,7 +65075,6 @@ service: otel: - attribute: deployment.environment.name relation: equivalent - stability: development short: Environment of the service. type: keyword service.ephemeral_id: @@ -19043,7 +65128,6 @@ service: normalize: [] otel: - relation: match - stability: stable short: Name of the service. type: keyword service.node.name: @@ -19069,7 +65153,6 @@ service: otel: - attribute: service.instance.id relation: equivalent - stability: development short: Name of the service node. type: keyword service.node.role: @@ -19372,12 +65455,21 @@ service: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -19837,12 +65929,21 @@ service: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -20070,7 +66171,6 @@ service: normalize: [] otel: - relation: match - stability: stable short: Version of the service. type: keyword footnote: The service fields may be self-nested under service.origin.* and service.target.* @@ -20146,7 +66246,6 @@ source: normalize: [] otel: - relation: match - stability: development short: Source network address. type: keyword source.as.number: @@ -20414,7 +66513,6 @@ source: normalize: [] otel: - relation: match - stability: development short: Port of the source. type: long source.registered_domain: @@ -20493,6 +66591,268 @@ source: original_fieldset: user short: User email address. type: keyword + source.user.entity.attributes: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: source.user.entity.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + source.user.entity.behavior: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: source.user.entity.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + source.user.entity.display_name: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: source.user.entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: source.user.entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + source.user.entity.id: + dashed_name: source-user-entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: source.user.entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + source.user.entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: source.user.entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + source.user.entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: source.user.entity.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + source.user.entity.metrics: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: source.user.entity.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + source.user.entity.name: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: source.user.entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: source.user.entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + source.user.entity.raw: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: source.user.entity.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + source.user.entity.reference: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: source.user.entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + source.user.entity.source: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: source.user.entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + source.user.entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: source-user-entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: source.user.entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + source.user.entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: source-user-entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: source.user.entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword source.user.full_name: dashed_name: source-user-full-name description: User's full name, if available. @@ -20587,6 +66947,86 @@ source: original_fieldset: user short: Short name or login of the user. type: keyword + source.user.risk.calculated_level: + dashed_name: source-user-risk-calculated-level + description: A risk classification level calculated by an internal system as + part of entity analytics and entity risk scoring. + example: High + flat_name: source.user.risk.calculated_level + ignore_above: 1024 + level: extended + name: calculated_level + normalize: [] + original_fieldset: risk + short: A risk classification level calculated by an internal system as part + of entity analytics and entity risk scoring. + type: keyword + source.user.risk.calculated_score: + dashed_name: source-user-risk-calculated-score + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring. + example: 880.73 + flat_name: source.user.risk.calculated_score + level: extended + name: calculated_score + normalize: [] + original_fieldset: risk + short: A risk classification score calculated by an internal system as part + of entity analytics and entity risk scoring. + type: float + source.user.risk.calculated_score_norm: + dashed_name: source-user-risk-calculated-score-norm + description: A risk classification score calculated by an internal system as + part of entity analytics and entity risk scoring, and normalized to a range + of 0 to 100. + example: 88.73 + flat_name: source.user.risk.calculated_score_norm + level: extended + name: calculated_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an internal system. + type: float + source.user.risk.static_level: + dashed_name: source-user-risk-static-level + description: A risk classification level obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: High + flat_name: source.user.risk.static_level + ignore_above: 1024 + level: extended + name: static_level + normalize: [] + original_fieldset: risk + short: A risk classification level obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: keyword + source.user.risk.static_score: + dashed_name: source-user-risk-static-score + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform. + example: 830.0 + flat_name: source.user.risk.static_score + level: extended + name: static_score + normalize: [] + original_fieldset: risk + short: A risk classification score obtained from outside the system, such as + from some external Threat Intelligence Platform. + type: float + source.user.risk.static_score_norm: + dashed_name: source-user-risk-static-score-norm + description: A risk classification score obtained from outside the system, such + as from some external Threat Intelligence Platform, and normalized to a range + of 0 to 100. + example: 83.0 + flat_name: source.user.risk.static_score_norm + level: extended + name: static_score_norm + normalize: [] + original_fieldset: risk + short: A normalized risk score calculated by an external system. + type: float source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -26370,7 +72810,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: String indicating the cipher used during the current connection. type: keyword tls.client.certificate: @@ -26386,7 +72825,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: PEM-encoded stand-alone certificate offered by the client. type: keyword tls.client.certificate_chain: @@ -26403,7 +72841,6 @@ tls: - array otel: - relation: match - stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the client. type: keyword @@ -26420,7 +72857,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -26437,7 +72873,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -26454,7 +72889,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -26470,7 +72904,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword @@ -26486,7 +72919,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword tls.client.not_after: @@ -26500,7 +72932,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Date/Time indicating when client certificate is no longer considered valid. type: date @@ -26515,7 +72946,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Date/Time indicating when client certificate is first considered valid. type: date tls.client.server_name: @@ -26543,7 +72973,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Distinguished name of subject of the x.509 certificate presented by the client. type: keyword @@ -26560,7 +72989,6 @@ tls: - array otel: - relation: match - stability: development short: Array of ciphers offered by the client during the client hello. type: keyword tls.client.x509.alternative_names: @@ -26880,7 +73308,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: String indicating the curve used for the given cipher, when applicable. type: keyword tls.established: @@ -26893,7 +73320,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean @@ -26910,7 +73336,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: String indicating the protocol being tunneled. type: keyword tls.resumed: @@ -26923,7 +73348,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean @@ -26940,7 +73364,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: PEM-encoded stand-alone certificate offered by the server. type: keyword tls.server.certificate_chain: @@ -26957,7 +73380,6 @@ tls: - array otel: - relation: match - stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the server. type: keyword @@ -26974,7 +73396,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -26991,7 +73412,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -27008,7 +73428,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -27024,7 +73443,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Subject of the issuer of the x.509 certificate presented by the server. type: keyword tls.server.ja3s: @@ -27039,7 +73457,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword tls.server.not_after: @@ -27053,7 +73470,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Timestamp indicating when server certificate is no longer considered valid. type: date @@ -27068,7 +73484,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: @@ -27082,7 +73497,6 @@ tls: normalize: [] otel: - relation: match - stability: development short: Subject of the x.509 certificate presented by the server. type: keyword tls.server.x509.alternative_names: @@ -27520,7 +73934,6 @@ url: normalize: [] otel: - relation: match - stability: development short: Domain of the url. type: keyword url.extension: @@ -27543,7 +73956,6 @@ url: normalize: [] otel: - relation: match - stability: development short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: @@ -27558,7 +73970,6 @@ url: normalize: [] otel: - relation: match - stability: stable short: Portion of the url after the `#`. type: keyword url.full: @@ -27577,7 +73988,6 @@ url: normalize: [] otel: - relation: match - stability: stable short: Full unparsed URL. type: wildcard url.original: @@ -27599,7 +74009,6 @@ url: normalize: [] otel: - relation: match - stability: development short: Unmodified original url as seen in the event source. type: wildcard url.password: @@ -27621,7 +74030,6 @@ url: normalize: [] otel: - relation: match - stability: stable short: Path of the request, such as "/search". type: wildcard url.port: @@ -27635,7 +74043,6 @@ url: normalize: [] otel: - relation: match - stability: development short: Port of the request, such as 443. type: long url.query: @@ -27654,7 +74061,6 @@ url: normalize: [] otel: - relation: match - stability: stable short: Query string of the request. type: keyword url.registered_domain: @@ -27674,7 +74080,6 @@ url: normalize: [] otel: - relation: match - stability: development short: The highest registered url domain, stripped of the subdomain. type: keyword url.scheme: @@ -27690,7 +74095,6 @@ url: normalize: [] otel: - relation: match - stability: stable short: Scheme of the url. type: keyword url.subdomain: @@ -27711,7 +74115,6 @@ url: normalize: [] otel: - relation: match - stability: development short: The subdomain of the domain. type: keyword url.top_level_domain: @@ -27731,7 +74134,6 @@ url: normalize: [] otel: - relation: match - stability: development short: The effective top level domain (com, org, net, co.uk). type: keyword url.username: @@ -28027,12 +74429,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-changes-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -28504,12 +74915,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-effective-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -28718,7 +75138,6 @@ user: normalize: [] otel: - relation: match - stability: development short: User email address. type: keyword user.entity.attributes: @@ -28958,12 +75377,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -28989,7 +75417,6 @@ user: normalize: [] otel: - relation: match - stability: development short: User's full name, if available. type: keyword user.group.domain: @@ -29041,7 +75468,6 @@ user: normalize: [] otel: - relation: match - stability: development short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: @@ -29055,7 +75481,6 @@ user: normalize: [] otel: - relation: match - stability: development short: Unique identifier of the user. type: keyword user.name: @@ -29073,7 +75498,6 @@ user: normalize: [] otel: - relation: match - stability: development short: Short name or login of the user. type: keyword user.risk.calculated_level: @@ -29168,7 +75592,6 @@ user: - array otel: - relation: match - stability: development short: Array of user roles at the time of the event. synthetic_source_keep: none type: keyword @@ -29433,12 +75856,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.target.entity.type ignore_above: 1024 @@ -29741,7 +76173,6 @@ user_agent: normalize: [] otel: - relation: match - stability: development short: Name of the user agent. type: keyword user_agent.original: @@ -29760,7 +76191,6 @@ user_agent: normalize: [] otel: - relation: match - stability: stable short: Unparsed user_agent string. type: keyword user_agent.os.family: @@ -29879,7 +76309,6 @@ user_agent: normalize: [] otel: - relation: match - stability: development short: Version of the user agent. type: keyword group: 2 diff --git a/schemas/entity.yml b/schemas/entity.yml index a0527e92f8..5946fb06f0 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -11,6 +11,13 @@ that don't have dedicated field sets in ECS. An entity represents a discrete, identifiable component that can be described by a set of attributes and maintains its identity over time. + footnote: > + The entity fields may be self-nested under entity.target.* to describe + the target entity in the context of an action or event. The fieldset + entity.target.* must not be confused with the root entity fieldset that + is used to describe the primary entity under observation. The fieldset + entity.target.* may only be used to describe the targeted entity of an + action taken. root: false reusable: top_level: false @@ -21,6 +28,9 @@ - host - service - orchestrator + - at: entity + as: target + short_override: Targeted entity of action taken. fields: - name: name From 2b40c9c23d43f422b05a3eac2bc70e6399bbb077 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Tue, 11 Nov 2025 11:33:05 +0200 Subject: [PATCH 4/7] Update generated files: add cloud and orchestrator to entity.type, add entity.target self-nesting --- docs/reference/ecs-entity.md | 13 +- experimental/generated/beats/fields.ecs.yml | 24 +- experimental/generated/ecs/ecs_flat.yml | 132 +- experimental/generated/ecs/ecs_nested.yml | 420 +- generated/beats/fields.ecs.yml | 24 +- generated/ecs/ecs_flat.yml | 50143 +---------------- generated/ecs/ecs_nested.yml | 50521 +----------------- 7 files changed, 5027 insertions(+), 96250 deletions(-) diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index b61b881053..bbc6cd7115 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -27,25 +27,22 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | -| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | +| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | ## Field reuse [_field_reuse] The `entity` fields are expected to be nested at: * `cloud.entity` +* `entity.target` * `host.entity` * `orchestrator.entity` * `service.entity` * `user.entity` -* `entity.target` - - -Note also that the `entity` fields may be used directly at the root of the events. - -### Field sets that can be nested under User [ecs-entity-nestings] +Note also that the `entity` fields are not expected to be used directly at the root of the events. +### Field sets that can be nested under Entity [ecs-entity-nestings] | Location | Field Set | Description | | --- | --- | --- | -| `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. | \ No newline at end of file +| `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 1c45bc371e..32677d7b88 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -625,7 +625,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: instance.id @@ -787,7 +787,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: origin.instance.id @@ -1038,7 +1038,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: target.instance.id @@ -4268,7 +4268,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: geo.city_name @@ -5443,7 +5443,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: namespace @@ -9391,7 +9391,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: environment @@ -9621,7 +9621,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: origin.environment @@ -9888,7 +9888,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: target.environment @@ -14572,7 +14572,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: changes.full_name @@ -14821,7 +14821,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: effective.full_name @@ -15054,7 +15054,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: full_name @@ -15291,7 +15291,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: target.full_name diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 3bef32b802..5ae8d81b9f 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -929,12 +929,21 @@ cloud.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1251,12 +1260,21 @@ cloud.origin.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1719,12 +1737,21 @@ cloud.target.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -7503,12 +7530,21 @@ host.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -9559,12 +9595,21 @@ orchestrator.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: orchestrator-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -16028,12 +16073,21 @@ service.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -16437,12 +16491,21 @@ service.origin.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -16895,12 +16958,21 @@ service.target.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -24847,12 +24919,21 @@ user.changes.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-changes-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -25319,12 +25400,21 @@ user.effective.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-effective-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -25768,12 +25858,21 @@ user.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -26238,12 +26337,21 @@ user.target.entity.type: login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 52d708e873..18ff9f757d 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1135,12 +1135,21 @@ cloud: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1462,12 +1471,21 @@ cloud: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1935,12 +1953,21 @@ cloud: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: cloud-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -5099,6 +5126,268 @@ entity: short: The specific type designation for the entity as defined by its provider or system. type: keyword + entity.target.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-target-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: entity.target.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object + entity.target.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-target-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + entity.target.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-target-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.target.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.target.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + entity.target.id: + dashed_name: entity-target-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: entity.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword + entity.target.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-target-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: entity.target.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date + entity.target.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-target-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object + entity.target.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-target-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: entity.target.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object + entity.target.name: + beta: This field is beta and subject to change. + dashed_name: entity-target-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: entity.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.target.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword + entity.target.raw: + beta: This field is beta and subject to change. + dashed_name: entity-target-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: entity.target.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object + entity.target.reference: + beta: This field is beta and subject to change. + dashed_name: entity-target-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.target.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + entity.target.source: + beta: This field is beta and subject to change. + dashed_name: entity-target-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: entity.target.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword + entity.target.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-target-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.target.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + entity.target.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: entity-target-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + example: host + flat_name: entity.target.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword entity.type: allowed_values: - description: Represents a storage container or bucket, typically used for @@ -5152,12 +5441,21 @@ entity: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: entity.type ignore_above: 1024 @@ -5167,8 +5465,15 @@ entity: - array short: Standardized high-level classification of the entity. type: keyword + footnote: The entity fields may be self-nested under entity.target.* to describe + the target entity in the context of an action or event. The fieldset entity.target.* + must not be confused with the root entity fieldset that is used to describe the + primary entity under observation. The fieldset entity.target.* may only be used + to describe the targeted entity of an action taken. group: 2 name: entity + nestings: + - entity.target prefix: entity. reusable: expected: @@ -5187,7 +5492,15 @@ entity: - as: entity at: orchestrator full: orchestrator.entity + - as: target + at: entity + full: entity.target + short_override: Targeted entity of action taken. top_level: false + reused_here: + - full: entity.target + schema_name: entity + short: Targeted entity of action taken. short: Fields to describe various types of entities across IT environments. title: Entity type: group @@ -9286,12 +9599,21 @@ host: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: host-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -11700,12 +12022,21 @@ orchestrator: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: orchestrator-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -19036,12 +19367,21 @@ service: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -19452,12 +19792,21 @@ service: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-origin-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -19917,12 +20266,21 @@ service: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: service-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -28107,12 +28465,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-changes-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -28584,12 +28951,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-effective-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -29038,12 +29414,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -29513,12 +29898,21 @@ user: user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems. name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate + resources, entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. + This includes container orchestrators like Kubernetes, Docker Swarm, and + other systems responsible for automating the deployment, management, scaling, + and networking of containers or workloads. + name: orchestrator beta: This field is beta and subject to change. dashed_name: user-target-entity-type description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4e5347968f..ff7780c1b8 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -575,7 +575,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: instance.id @@ -737,7 +737,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: origin.instance.id @@ -988,7 +988,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: target.instance.id @@ -4218,7 +4218,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: geo.city_name @@ -5393,7 +5393,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: namespace @@ -9341,7 +9341,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: environment @@ -9571,7 +9571,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: origin.environment @@ -9838,7 +9838,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: target.environment @@ -14522,7 +14522,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: changes.full_name @@ -14771,7 +14771,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: effective.full_name @@ -15004,7 +15004,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: full_name @@ -15241,7 +15241,7 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' example: host default_field: false - name: target.full_name diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index be3fd39d4c..6fb1437e5c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -130,6 +130,7 @@ client.address: normalize: [] otel: - relation: match + stability: stable short: Client network address. type: keyword client.as.number: @@ -395,6 +396,7 @@ client.port: normalize: [] otel: - relation: match + stability: stable short: Port of the client. type: long client.registered_domain: @@ -473,263 +475,6 @@ client.user.email: original_fieldset: user short: User email address. type: keyword -client.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: client.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -client.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: client.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -client.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: client.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: client.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -client.user.entity.id: - dashed_name: client-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: client.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -client.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: client.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -client.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: client.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -client.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: client.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -client.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: client.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: client.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -client.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: client.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -client.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: client.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -client.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: client.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -client.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: client.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -client.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: client-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: client.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword client.user.full_name: dashed_name: client-user-full-name description: User's full name, if available. @@ -824,86 +569,6 @@ client.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -client.user.risk.calculated_level: - dashed_name: client-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: client.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -client.user.risk.calculated_score: - dashed_name: client-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: client.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -client.user.risk.calculated_score_norm: - dashed_name: client-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: client.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -client.user.risk.static_level: - dashed_name: client-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: client.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -client.user.risk.static_score: - dashed_name: client-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: client.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -client.user.risk.static_score_norm: - dashed_name: client-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: client.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -932,6 +597,7 @@ cloud.account.id: normalize: [] otel: - relation: match + stability: development short: The cloud account or organization id. type: keyword cloud.account.name: @@ -959,6 +625,7 @@ cloud.availability_zone: normalize: [] otel: - relation: match + stability: development short: Availability zone in which this host, resource, or service is located. type: keyword cloud.entity.attributes: @@ -1691,6 +1358,7 @@ cloud.provider: normalize: [] otel: - relation: match + stability: development short: Name of the cloud provider. type: keyword cloud.region: @@ -1704,6 +1372,7 @@ cloud.region: normalize: [] otel: - relation: match + stability: development short: Region in which this host, resource, or service is located. type: keyword cloud.service.name: @@ -1722,6 +1391,7 @@ cloud.service.name: otel: - attribute: cloud.platform relation: equivalent + stability: development short: The cloud service name. type: keyword cloud.target.account.id: @@ -2138,6 +1808,7 @@ container.cpu.usage: otel: - metric: container.cpu.usage relation: metric + stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -2171,6 +1842,7 @@ container.id: normalize: [] otel: - relation: match + stability: development short: Unique container id. type: keyword container.image.hash.all: @@ -2188,6 +1860,7 @@ container.image.hash.all: otel: - attribute: container.image.repo_digests relation: equivalent + stability: development short: An array of digests of the image the container was built on. type: keyword container.image.name: @@ -2200,6 +1873,7 @@ container.image.name: normalize: [] otel: - relation: match + stability: development short: Name of the image the container was built on. type: keyword container.image.tag: @@ -2214,6 +1888,7 @@ container.image.tag: otel: - attribute: container.image.tags relation: equivalent + stability: development short: Container image tags. synthetic_source_keep: none type: keyword @@ -2228,6 +1903,7 @@ container.labels: otel: - attribute: container.label relation: related + stability: development short: Image labels. type: object container.memory.usage: @@ -2241,6 +1917,7 @@ container.memory.usage: otel: - metric: container.memory.usage relation: metric + stability: development scaling_factor: 1000 short: Percent memory used, between 0 and 1. type: scaled_float @@ -2254,6 +1931,7 @@ container.name: normalize: [] otel: - relation: match + stability: development short: Container name. type: keyword container.network.egress.bytes: @@ -2288,6 +1966,7 @@ container.runtime: otel: - attribute: container.runtime.name relation: equivalent + stability: development short: Runtime managing this container. type: keyword container.security_context.privileged: @@ -2366,6 +2045,7 @@ destination.address: normalize: [] otel: - relation: match + stability: development short: Destination network address. type: keyword destination.as.number: @@ -2630,6 +2310,7 @@ destination.port: normalize: [] otel: - relation: match + stability: development short: Port of the destination. type: long destination.registered_domain: @@ -2708,263 +2389,6 @@ destination.user.email: original_fieldset: user short: User email address. type: keyword -destination.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: destination.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -destination.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: destination.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -destination.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: destination.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: destination.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -destination.user.entity.id: - dashed_name: destination-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: destination.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -destination.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: destination.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -destination.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: destination.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -destination.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: destination.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -destination.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: destination.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: destination.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -destination.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: destination.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -destination.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: destination.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -destination.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: destination.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -destination.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: destination.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -destination.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: destination.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword destination.user.full_name: dashed_name: destination-user-full-name description: User's full name, if available. @@ -3059,86 +2483,6 @@ destination.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -destination.user.risk.calculated_level: - dashed_name: destination-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: destination.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -destination.user.risk.calculated_score: - dashed_name: destination-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: destination.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -destination.user.risk.calculated_score_norm: - dashed_name: destination-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: destination.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -destination.user.risk.static_level: - dashed_name: destination-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: destination.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -destination.user.risk.static_score: - dashed_name: destination-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: destination.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -destination.user.risk.static_score_norm: - dashed_name: destination-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: destination.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -3172,6 +2516,7 @@ device.id: normalize: [] otel: - relation: match + stability: development short: The unique identifier of a device. type: keyword device.manufacturer: @@ -3185,6 +2530,7 @@ device.manufacturer: normalize: [] otel: - relation: match + stability: development short: The vendor name of the device manufacturer. type: keyword device.model.identifier: @@ -3198,6 +2544,7 @@ device.model.identifier: normalize: [] otel: - relation: match + stability: development short: The machine readable identifier of the device model. type: keyword device.model.name: @@ -3211,6 +2558,7 @@ device.model.name: normalize: [] otel: - relation: match + stability: development short: The human readable marketing name of the device model. type: keyword device.product.id: @@ -3924,6 +3272,7 @@ dns.answers: otel: - attribute: dns.answers relation: related + stability: development short: Array of DNS answers. type: object dns.answers.class: @@ -4061,6 +3410,7 @@ dns.question.name: normalize: [] otel: - relation: match + stability: development short: The name being queried. type: keyword dns.question.registered_domain: @@ -4540,6 +3890,7 @@ error.message: otel: - attribute: exception.message relation: equivalent + stability: stable short: Error message. type: match_only_text error.stack_trace: @@ -4556,6 +3907,7 @@ error.stack_trace: otel: - attribute: exception.stacktrace relation: equivalent + stability: stable short: The stack trace of this error in plain text. type: wildcard error.type: @@ -4569,6 +3921,7 @@ error.type: normalize: [] otel: - relation: match + stability: stable short: The type of the error, for example the class name of the exception. type: keyword event.action: @@ -5444,6 +4797,7 @@ faas.coldstart: normalize: [] otel: - relation: match + stability: development short: Boolean value indicating a cold start of a function. type: boolean faas.execution: @@ -5458,6 +4812,7 @@ faas.execution: otel: - attribute: faas.invocation_id relation: equivalent + stability: development short: The execution ID of the current function execution. type: keyword faas.id: @@ -5485,6 +4840,7 @@ faas.name: normalize: [] otel: - relation: match + stability: development short: The name of a serverless function. type: keyword faas.trigger.request_id: @@ -5516,6 +4872,7 @@ faas.trigger.type: otel: - attribute: faas.trigger relation: equivalent + stability: development short: The trigger for the function execution. type: keyword faas.version: @@ -5529,6 +4886,7 @@ faas.version: normalize: [] otel: - relation: match + stability: development short: The version of a serverless function. type: keyword file.accessed: @@ -5542,6 +4900,7 @@ file.accessed: normalize: [] otel: - relation: match + stability: development short: Last time the file was accessed. type: date file.attributes: @@ -5560,6 +4919,7 @@ file.attributes: - array otel: - relation: match + stability: development short: Array of file attributes. synthetic_source_keep: none type: keyword @@ -5725,6 +5085,7 @@ file.created: normalize: [] otel: - relation: match + stability: development short: File creation time. type: date file.ctime: @@ -5740,6 +5101,7 @@ file.ctime: otel: - attribute: file.changed relation: equivalent + stability: development short: Last time the file attributes or metadata changed. type: date file.device: @@ -5765,6 +5127,7 @@ file.directory: normalize: [] otel: - relation: match + stability: development short: Directory where the file is located. type: keyword file.drive_letter: @@ -6237,6 +5600,7 @@ file.extension: normalize: [] otel: - relation: match + stability: development short: File extension, excluding the leading dot. type: keyword file.fork_name: @@ -6262,6 +5626,7 @@ file.fork_name: normalize: [] otel: - relation: match + stability: development short: A fork is additional data associated with a filesystem object. type: keyword file.gid: @@ -6276,6 +5641,7 @@ file.gid: otel: - attribute: file.group.id relation: equivalent + stability: development short: Primary group ID (GID) of the file. type: keyword file.group: @@ -6290,6 +5656,7 @@ file.group: otel: - attribute: file.group.name relation: equivalent + stability: development short: Primary group name of the file. type: keyword file.hash.cdhash: @@ -6394,6 +5761,7 @@ file.inode: normalize: [] otel: - relation: match + stability: development short: Inode representing the file in the filesystem. type: keyword file.macho.go_import_hash: @@ -6618,6 +5986,7 @@ file.mode: normalize: [] otel: - relation: match + stability: development short: Mode of the file in octal representation. type: keyword file.mtime: @@ -6630,6 +5999,7 @@ file.mtime: otel: - attribute: file.modified relation: equivalent + stability: development short: Last time the file content was modified. type: date file.name: @@ -6643,6 +6013,7 @@ file.name: normalize: [] otel: - relation: match + stability: development short: Name of the file including the extension, without the directory. type: keyword file.origin_referrer_url: @@ -6681,6 +6052,7 @@ file.owner: otel: - attribute: file.owner.name relation: equivalent + stability: development short: File owner's username. type: keyword file.path: @@ -6699,6 +6071,7 @@ file.path: normalize: [] otel: - relation: match + stability: development short: Full path to the file, including the file name. type: keyword file.pe.architecture: @@ -6999,6 +6372,7 @@ file.size: normalize: [] otel: - relation: match + stability: development short: File size in bytes. type: long file.target_path: @@ -7016,6 +6390,7 @@ file.target_path: otel: - attribute: file.symbolic_link.target_path relation: equivalent + stability: development short: Target path for symlinks. type: keyword file.type: @@ -7041,6 +6416,7 @@ file.uid: otel: - attribute: file.owner.id relation: equivalent + stability: development short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword file.x509.alternative_names: @@ -7361,6 +6737,7 @@ gen_ai.agent.description: normalize: [] otel: - relation: match + stability: development short: Free-form description of the GenAI agent provided by the application. type: keyword gen_ai.agent.id: @@ -7375,6 +6752,7 @@ gen_ai.agent.id: normalize: [] otel: - relation: match + stability: development short: The unique identifier of the GenAI agent. type: keyword gen_ai.agent.name: @@ -7389,6 +6767,7 @@ gen_ai.agent.name: normalize: [] otel: - relation: match + stability: development short: Human-readable name of the GenAI agent provided by the application. type: keyword gen_ai.operation.name: @@ -7403,6 +6782,7 @@ gen_ai.operation.name: normalize: [] otel: - relation: match + stability: development short: The name of the operation being performed. type: keyword gen_ai.output.type: @@ -7417,6 +6797,7 @@ gen_ai.output.type: normalize: [] otel: - relation: match + stability: development short: Represents the content type requested by the client. type: keyword gen_ai.request.choice.count: @@ -7430,6 +6811,7 @@ gen_ai.request.choice.count: normalize: [] otel: - relation: match + stability: development short: The target number of candidate completions to return. type: integer gen_ai.request.encoding_formats: @@ -7443,6 +6825,7 @@ gen_ai.request.encoding_formats: normalize: [] otel: - relation: match + stability: development short: The encoding formats requested in an embeddings operation, if specified. type: nested gen_ai.request.frequency_penalty: @@ -7456,6 +6839,7 @@ gen_ai.request.frequency_penalty: normalize: [] otel: - relation: match + stability: development short: The frequency penalty setting for the GenAI request. type: double gen_ai.request.max_tokens: @@ -7469,6 +6853,7 @@ gen_ai.request.max_tokens: normalize: [] otel: - relation: match + stability: development short: The maximum number of tokens the model generates for a request. type: integer gen_ai.request.model: @@ -7483,6 +6868,7 @@ gen_ai.request.model: normalize: [] otel: - relation: match + stability: development short: The name of the GenAI model a request is being made to. type: keyword gen_ai.request.presence_penalty: @@ -7496,6 +6882,7 @@ gen_ai.request.presence_penalty: normalize: [] otel: - relation: match + stability: development short: The presence penalty setting for the GenAI request. type: double gen_ai.request.seed: @@ -7509,6 +6896,7 @@ gen_ai.request.seed: normalize: [] otel: - relation: match + stability: development short: Requests with same seed value more likely to return same result. type: integer gen_ai.request.stop_sequences: @@ -7523,6 +6911,7 @@ gen_ai.request.stop_sequences: normalize: [] otel: - relation: match + stability: development short: List of sequences that the model will use to stop generating further tokens. type: nested gen_ai.request.temperature: @@ -7536,6 +6925,7 @@ gen_ai.request.temperature: normalize: [] otel: - relation: match + stability: development short: The temperature setting for the GenAI request. type: double gen_ai.request.top_k: @@ -7549,6 +6939,7 @@ gen_ai.request.top_k: normalize: [] otel: - relation: match + stability: development short: The top_k sampling setting for the GenAI request. type: double gen_ai.request.top_p: @@ -7562,6 +6953,7 @@ gen_ai.request.top_p: normalize: [] otel: - relation: match + stability: development short: The top_p sampling setting for the GenAI request. type: double gen_ai.response.finish_reasons: @@ -7576,6 +6968,7 @@ gen_ai.response.finish_reasons: normalize: [] otel: - relation: match + stability: development short: Array of reasons the model stopped generating tokens, corresponding to each generation received. type: nested @@ -7591,6 +6984,7 @@ gen_ai.response.id: normalize: [] otel: - relation: match + stability: development short: The unique identifier for the completion. type: keyword gen_ai.response.model: @@ -7605,6 +6999,7 @@ gen_ai.response.model: normalize: [] otel: - relation: match + stability: development short: The name of the model that generated the response. type: keyword gen_ai.system: @@ -7620,6 +7015,7 @@ gen_ai.system: otel: - attribute: gen_ai.provider.name relation: equivalent + stability: development short: The Generative AI product as identified by the client or server instrumentation. type: keyword gen_ai.token.type: @@ -7634,6 +7030,7 @@ gen_ai.token.type: normalize: [] otel: - relation: match + stability: development short: The type of token being counted. type: keyword gen_ai.tool.call.id: @@ -7648,6 +7045,7 @@ gen_ai.tool.call.id: normalize: [] otel: - relation: match + stability: development short: The tool call identifier. type: keyword gen_ai.tool.name: @@ -7662,6 +7060,7 @@ gen_ai.tool.name: normalize: [] otel: - relation: match + stability: development short: Name of the tool utilized by the agent. type: keyword gen_ai.tool.type: @@ -7676,6 +7075,7 @@ gen_ai.tool.type: normalize: [] otel: - relation: match + stability: development short: Type of the tool utilized by the agent type: keyword gen_ai.usage.input_tokens: @@ -7689,6 +7089,7 @@ gen_ai.usage.input_tokens: normalize: [] otel: - relation: match + stability: development short: The number of tokens used in the GenAI input (prompt). type: integer gen_ai.usage.output_tokens: @@ -7702,6 +7103,7 @@ gen_ai.usage.output_tokens: normalize: [] otel: - relation: match + stability: development short: The number of tokens used in the GenAI response (completion). type: integer group.domain: @@ -7748,6 +7150,7 @@ host.architecture: otel: - attribute: host.arch relation: equivalent + stability: development short: Operating system architecture. type: keyword host.boot.id: @@ -7780,6 +7183,7 @@ host.cpu.usage: otel: - metric: system.cpu.utilization relation: metric + stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -7794,6 +7198,7 @@ host.disk.read.bytes: otel: - metric: system.disk.io relation: metric + stability: development short: The number of bytes read by all disks. type: long host.disk.write.bytes: @@ -7807,6 +7212,7 @@ host.disk.write.bytes: otel: - metric: system.disk.io relation: metric + stability: development short: The number of bytes written on all disks. type: long host.domain: @@ -8246,6 +7652,7 @@ host.id: normalize: [] otel: - relation: match + stability: development short: Unique host id. type: keyword host.ip: @@ -8258,6 +7665,7 @@ host.ip: - array otel: - relation: match + stability: development short: Host ip addresses. synthetic_source_keep: none type: ip @@ -8277,6 +7685,7 @@ host.mac: - array otel: - relation: match + stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none @@ -8295,6 +7704,7 @@ host.name: normalize: [] otel: - relation: match + stability: development short: Name of the host. type: keyword host.network.egress.bytes: @@ -8308,6 +7718,7 @@ host.network.egress.bytes: otel: - metric: system.network.io relation: metric + stability: development short: The number of bytes sent on all network interfaces. type: long host.network.egress.packets: @@ -8321,6 +7732,7 @@ host.network.egress.packets: otel: - metric: system.network.packet.count relation: metric + stability: development short: The number of packets sent on all network interfaces. type: long host.network.ingress.bytes: @@ -8334,6 +7746,7 @@ host.network.ingress.bytes: otel: - metric: system.network.io relation: metric + stability: development short: The number of bytes received on all network interfaces. type: long host.network.ingress.packets: @@ -8347,6 +7760,7 @@ host.network.ingress.packets: otel: - metric: system.network.packet.count relation: metric + stability: development short: The number of packets received on all network interfaces. type: long host.os.family: @@ -8559,6 +7973,7 @@ host.type: normalize: [] otel: - relation: match + stability: development short: Type of host. type: keyword host.uptime: @@ -8572,6 +7987,7 @@ host.uptime: otel: - metric: system.uptime relation: metric + stability: development short: Seconds the host has been up. type: long http.request.body.bytes: @@ -8586,6 +8002,7 @@ http.request.body.bytes: otel: - attribute: http.request.body.size relation: equivalent + stability: development short: Size in bytes of the request body. type: long http.request.body.content: @@ -8614,6 +8031,7 @@ http.request.bytes: otel: - attribute: http.request.size relation: equivalent + stability: development short: Total size in bytes of the request (body and headers). type: long http.request.id: @@ -8646,6 +8064,7 @@ http.request.method: otel: - attribute: http.request.method_original relation: equivalent + stability: stable - attribute: http.request.method note: '`http.request.method` in SemConv is the known, normalized, upper case value of the request method, other than the ECS'' `http.request.method` that retains @@ -8653,6 +8072,7 @@ http.request.method: ' relation: conflict + stability: stable short: HTTP request method. type: keyword http.request.mime_type: @@ -8693,6 +8113,7 @@ http.response.body.bytes: otel: - attribute: http.response.body.size relation: equivalent + stability: development short: Size in bytes of the response body. type: long http.response.body.content: @@ -8721,6 +8142,7 @@ http.response.bytes: otel: - attribute: http.response.size relation: equivalent + stability: development short: Total size in bytes of the response (body and headers). type: long http.response.mime_type: @@ -8749,6 +8171,7 @@ http.response.status_code: normalize: [] otel: - relation: match + stability: stable short: HTTP response status code. type: long http.version: @@ -8763,12 +8186,14 @@ http.version: otel: - attribute: network.protocol.name relation: related + stability: stable - attribute: network.protocol.version note: 'In OTel SemConv, `network.protocol.version` specifies the HTTP version if the value of `network.protocol.name` is `http`. ' relation: related + stability: stable short: HTTP version. type: keyword labels: @@ -8788,8 +8213,10 @@ labels: otel: - attribute: k8s.pod.label relation: related + stability: development - attribute: container.label relation: related + stability: development short: Custom key/value pairs. type: object log.file.path: @@ -8806,6 +8233,7 @@ log.file.path: normalize: [] otel: - relation: match + stability: development short: Full path to the log file this event came from. type: keyword log.level: @@ -9226,6 +8654,7 @@ network.protocol: otel: - attribute: network.protocol.name relation: equivalent + stability: stable short: Application protocol name. type: keyword network.transport: @@ -9242,6 +8671,7 @@ network.transport: normalize: [] otel: - relation: match + stability: stable short: Protocol Name corresponding to the field `iana_number`. type: keyword network.type: @@ -9258,6 +8688,7 @@ network.type: normalize: [] otel: - relation: match + stability: stable short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc type: keyword @@ -10426,6 +9857,7 @@ process.args: otel: - attribute: process.command_args relation: equivalent + stability: development short: Array of process arguments. type: keyword process.args_count: @@ -10442,512 +9874,9 @@ process.args_count: normalize: [] otel: - relation: match + stability: development short: Length of the process.args array. type: long -process.attested_groups.domain: - dashed_name: process-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.attested_groups.id: - dashed_name: process-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.attested_groups.name: - dashed_name: process-attested-groups-name - description: Name of the group. - flat_name: process.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.attested_user.domain: - dashed_name: process-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.attested_user.email: - dashed_name: process-attested-user-email - description: User email address. - flat_name: process.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.attested_user.entity.id: - dashed_name: process-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.attested_user.full_name: - dashed_name: process-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.attested_user.group.domain: - dashed_name: process-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.attested_user.group.id: - dashed_name: process-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.attested_user.group.name: - dashed_name: process-attested-user-group-name - description: Name of the group. - flat_name: process.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.attested_user.hash: - dashed_name: process-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.attested_user.id: - dashed_name: process-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.attested_user.name: - dashed_name: process-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.attested_user.risk.calculated_level: - dashed_name: process-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.attested_user.risk.calculated_score: - dashed_name: process-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.attested_user.risk.calculated_score_norm: - dashed_name: process-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.attested_user.risk.static_level: - dashed_name: process-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.attested_user.risk.static_score: - dashed_name: process-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.attested_user.risk.static_score_norm: - dashed_name: process-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.attested_user.roles: - dashed_name: process-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.code_signature.digest_algorithm: dashed_name: process-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -11116,6 +10045,7 @@ process.command_line: normalize: [] otel: - relation: match + stability: development short: Full command line that started the process. type: wildcard process.elf.architecture: @@ -11570,17 +10500,6 @@ process.end: normalize: [] short: The time the process ended. type: date -process.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -11631,30 +10550,6 @@ process.entry_leader.args_count: original_fieldset: process short: Length of the process.args array. type: long -process.entry_leader.attested_groups.domain: - dashed_name: process-entry-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.attested_groups.id: - dashed_name: process-entry-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword process.entry_leader.attested_groups.name: dashed_name: process-entry-leader-attested-groups-name description: Name of the group. @@ -11666,320 +10561,307 @@ process.entry_leader.attested_groups.name: original_fieldset: group short: Name of the group. type: keyword -process.entry_leader.attested_user.domain: - dashed_name: process-entry-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.attested_user.domain +process.entry_leader.attested_user.id: + dashed_name: process-entry-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.attested_user.id ignore_above: 1024 - level: extended - name: domain + level: core + name: id normalize: [] original_fieldset: user - short: Name of the directory the user is a member of. + short: Unique identifier of the user. type: keyword -process.entry_leader.attested_user.email: - dashed_name: process-entry-leader-attested-user-email - description: User email address. - flat_name: process.entry_leader.attested_user.email +process.entry_leader.attested_user.name: + dashed_name: process-entry-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.attested_user.name ignore_above: 1024 - level: extended - name: email + level: core + multi_fields: + - flat_name: process.entry_leader.attested_user.name.text + name: text + type: match_only_text + name: name normalize: [] original_fieldset: user - short: User email address. + short: Short name or login of the user. type: keyword -process.entry_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.attested_user.entity.attributes +process.entry_leader.command_line: + dashed_name: process-entry-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.entry_leader.command_line level: extended - name: attributes + multi_fields: + - flat_name: process.entry_leader.command_line.text + name: text + type: match_only_text + name: command_line normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.attested_user.entity.behavior + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.entry_leader.entity_id: + dashed_name: process-entry-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.entity_id + ignore_above: 1024 level: extended - name: behavior + name: entity_id normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.attested_user.entity.display_name + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.entry_leader.entry_meta.source.ip: + dashed_name: process-entry-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip +process.entry_leader.entry_meta.type: + dashed_name: process-entry-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword +process.entry_leader.executable: + dashed_name: process-entry-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.entry_leader.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.attested_user.entity.display_name.text + - flat_name: process.entry_leader.executable.text name: text type: match_only_text - name: display_name + name: executable normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. + original_fieldset: process + short: Absolute path to the process executable. type: keyword -process.entry_leader.attested_user.entity.id: - dashed_name: process-entry-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.attested_user.entity.id +process.entry_leader.group.id: + dashed_name: process-entry-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.group.id ignore_above: 1024 - level: core + level: extended name: id normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.attested_user.entity.lifecycle +process.entry_leader.group.name: + dashed_name: process-entry-leader-group-name + description: Name of the group. + flat_name: process.entry_leader.group.name + ignore_above: 1024 level: extended - name: lifecycle + name: name normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.attested_user.entity.metrics + original_fieldset: group + short: Name of the group. + type: keyword +process.entry_leader.interactive: + dashed_name: process-entry-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.entry_leader.interactive level: extended - name: metrics + name: interactive normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.attested_user.entity.name + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.entry_leader.name: + dashed_name: process-entry-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.entry_leader.name ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.entry_leader.attested_user.entity.name.text + - flat_name: process.entry_leader.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: entity - short: The name of the entity. + original_fieldset: process + short: Process name. type: keyword -process.entry_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.attested_user.entity.reference +process.entry_leader.parent.entity_id: + dashed_name: process-entry-leader-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.parent.entity_id ignore_above: 1024 level: extended - name: reference + name: entity_id normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. + original_fieldset: process + short: Unique identifier for the process. type: keyword -process.entry_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.attested_user.entity.source - ignore_above: 1024 +process.entry_leader.parent.pid: + dashed_name: process-entry-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.pid + format: string level: core - name: source + name: pid normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.attested_user.entity.sub_type + original_fieldset: process + short: Process id. + type: long +process.entry_leader.parent.session_leader.entity_id: + dashed_name: process-entry-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.parent.session_leader.entity_id ignore_above: 1024 level: extended - name: sub_type + name: entity_id normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. + original_fieldset: process + short: Unique identifier for the process. type: keyword -process.entry_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.attested_user.entity.type - ignore_above: 1024 +process.entry_leader.parent.session_leader.pid: + dashed_name: process-entry-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.session_leader.pid + format: string level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.attested_user.full_name: - dashed_name: process-entry-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.attested_user.full_name - ignore_above: 1024 + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.entry_leader.parent.session_leader.start: + dashed_name: process-entry-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.session_leader.start level: extended - multi_fields: - - flat_name: process.entry_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name + name: start normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.attested_user.group.domain: - dashed_name: process-entry-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. + original_fieldset: process + short: The time the process started. + type: date +process.entry_leader.parent.session_leader.vpid: + dashed_name: process-entry-leader-parent-session-leader-vpid + description: 'Virtual process id. - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.attested_user.group.domain - ignore_above: 1024 + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.entry_leader.parent.session_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.entry_leader.parent.start: + dashed_name: process-entry-leader-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.start level: extended - name: domain + name: start normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.attested_user.group.id: - dashed_name: process-entry-leader-attested-user-group-id + original_fieldset: process + short: The time the process started. + type: date +process.entry_leader.parent.vpid: + dashed_name: process-entry-leader-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.entry_leader.parent.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.entry_leader.pid: + dashed_name: process-entry-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.entry_leader.real_group.id: + dashed_name: process-entry-leader-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.attested_user.group.id + flat_name: process.entry_leader.real_group.id ignore_above: 1024 level: extended name: id @@ -11987,10 +10869,10 @@ process.entry_leader.attested_user.group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.attested_user.group.name: - dashed_name: process-entry-leader-attested-user-group-name +process.entry_leader.real_group.name: + dashed_name: process-entry-leader-real-group-name description: Name of the group. - flat_name: process.entry_leader.attested_user.group.name + flat_name: process.entry_leader.real_group.name ignore_above: 1024 level: extended name: name @@ -11998,26 +10880,11 @@ process.entry_leader.attested_user.group.name: original_fieldset: group short: Name of the group. type: keyword -process.entry_leader.attested_user.hash: - dashed_name: process-entry-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.attested_user.id: - dashed_name: process-entry-leader-attested-user-id +process.entry_leader.real_user.id: + dashed_name: process-entry-leader-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.attested_user.id + flat_name: process.entry_leader.real_user.id ignore_above: 1024 level: core name: id @@ -12025,15 +10892,15 @@ process.entry_leader.attested_user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.entry_leader.attested_user.name: - dashed_name: process-entry-leader-attested-user-name +process.entry_leader.real_user.name: + dashed_name: process-entry-leader-real-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.entry_leader.attested_user.name + flat_name: process.entry_leader.real_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.entry_leader.attested_user.name.text + - flat_name: process.entry_leader.real_user.name.text name: text type: match_only_text name: name @@ -12041,262 +10908,330 @@ process.entry_leader.attested_user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.entry_leader.attested_user.risk.calculated_level: - dashed_name: process-entry-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.attested_user.risk.calculated_score: - dashed_name: process-entry-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.attested_user.risk.calculated_score +process.entry_leader.same_as_process: + dashed_name: process-entry-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.same_as_process level: extended - name: calculated_score + name: same_as_process normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.attested_user.risk.calculated_score_norm + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.entry_leader.saved_group.id: + dashed_name: process-entry-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.saved_group.id + ignore_above: 1024 level: extended - name: calculated_score_norm + name: id normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.attested_user.risk.static_level: - dashed_name: process-entry-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.attested_user.risk.static_level + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.entry_leader.saved_group.name: + dashed_name: process-entry-leader-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.saved_group.name ignore_above: 1024 level: extended - name: static_level + name: name normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. + original_fieldset: group + short: Name of the group. type: keyword -process.entry_leader.attested_user.risk.static_score: - dashed_name: process-entry-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.attested_user.risk.static_score - level: extended - name: static_score +process.entry_leader.saved_user.id: + dashed_name: process-entry-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.saved_user.id + ignore_above: 1024 + level: core + name: id normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.attested_user.risk.static_score_norm: - dashed_name: process-entry-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.attested_user.risk.static_score_norm + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.saved_user.name: + dashed_name: process-entry-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +process.entry_leader.start: + dashed_name: process-entry-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.start level: extended - name: static_score_norm + name: start normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.attested_user.roles: - dashed_name: process-entry-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.attested_user.roles + original_fieldset: process + short: The time the process started. + type: date +process.entry_leader.supplemental_groups.id: + dashed_name: process-entry-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.supplemental_groups.id ignore_above: 1024 level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.code_signature.digest_algorithm: - dashed_name: process-entry-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.entry_leader.code_signature.digest_algorithm +process.entry_leader.supplemental_groups.name: + dashed_name: process-entry-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.supplemental_groups.name ignore_above: 1024 level: extended - name: digest_algorithm + name: name normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. + original_fieldset: group + short: Name of the group. type: keyword -process.entry_leader.code_signature.exists: - dashed_name: process-entry-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.entry_leader.code_signature.exists +process.entry_leader.tty: + dashed_name: process-entry-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.entry_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.entry_leader.tty.char_device.major: + dashed_name: process-entry-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long +process.entry_leader.tty.char_device.minor: + dashed_name: process-entry-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long +process.entry_leader.user.id: + dashed_name: process-entry-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.user.id + ignore_above: 1024 level: core - name: exists + name: id normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.entry_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.entry_leader.code_signature.flags + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.entry_leader.user.name: + dashed_name: process-entry-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.user.name ignore_above: 1024 - level: extended - name: flags + level: core + multi_fields: + - flat_name: process.entry_leader.user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process + original_fieldset: user + short: Short name or login of the user. type: keyword -process.entry_leader.code_signature.signing_id: - dashed_name: process-entry-leader-code-signature-signing-id - description: 'The identifier used to sign the process. +process.entry_leader.vpid: + dashed_name: process-entry-leader-vpid + description: 'Virtual process id. - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.entry_leader.code_signature.signing_id + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.entry_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.entry_leader.working_directory: + dashed_name: process-entry-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.working_directory ignore_above: 1024 level: extended - name: signing_id + multi_fields: + - flat_name: process.entry_leader.working_directory.text + name: text + type: match_only_text + name: working_directory normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: process + short: The working directory of the process. type: keyword -process.entry_leader.code_signature.status: - dashed_name: process-entry-leader-code-signature-status - description: 'Additional information about the certificate status. +process.env_vars: + dashed_name: process-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot of + the environment at the time of execution. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.entry_leader.code_signature.status + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.env_vars ignore_above: 1024 level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + name: env_vars + normalize: + - array + short: Array of environment variable bindings. + synthetic_source_keep: none type: keyword -process.entry_leader.code_signature.subject_name: - dashed_name: process-entry-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.entry_leader.code_signature.subject_name +process.executable: + dashed_name: process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.executable ignore_above: 1024 - level: core - name: subject_name + level: extended + multi_fields: + - flat_name: process.executable.text + name: text + type: match_only_text + name: executable normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + otel: + - attribute: process.executable.path + relation: equivalent + stability: development + short: Absolute path to the process executable. type: keyword -process.entry_leader.code_signature.team_id: - dashed_name: process-entry-leader-code-signature-team-id - description: 'The team identifier used to sign the process. +process.exit_code: + dashed_name: process-exit-code + description: 'The exit code of the process, if this is a termination event. - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.entry_leader.code_signature.team_id - ignore_above: 1024 + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.exit_code level: extended - name: team_id + name: exit_code normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.entry_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.entry_leader.code_signature.thumbprint_sha256 - ignore_above: 64 + short: The exit code of the process. + type: long +process.group.id: + dashed_name: process-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group.id + ignore_above: 1024 level: extended - name: thumbprint_sha256 + name: id normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.code_signature.timestamp: - dashed_name: process-entry-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.entry_leader.code_signature.timestamp +process.group.name: + dashed_name: process-group-name + description: Name of the group. + flat_name: process.group.name + ignore_above: 1024 level: extended - name: timestamp + name: name normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.entry_leader.code_signature.trusted: - dashed_name: process-entry-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.args: + dashed_name: process-group-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.entry_leader.code_signature.trusted + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.group_leader.args + ignore_above: 1024 level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.entry_leader.code_signature.valid: - dashed_name: process-entry-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.group_leader.args_count: + dashed_name: process-group-leader-args-count + description: 'Length of the process.args array. - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.entry_leader.code_signature.valid + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.group_leader.args_count level: extended - name: valid + name: args_count normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.entry_leader.command_line: - dashed_name: process-entry-leader-command-line + original_fieldset: process + short: Length of the process.args array. + type: long +process.group_leader.command_line: + dashed_name: process-group-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.command_line + flat_name: process.group_leader.command_line level: extended multi_fields: - - flat_name: process.entry_leader.command_line.text + - flat_name: process.group_leader.command_line.text name: text type: match_only_text name: command_line @@ -12304,1154 +11239,598 @@ process.entry_leader.command_line: original_fieldset: process short: Full command line that started the process. type: wildcard -process.entry_leader.elf.architecture: - dashed_name: process-entry-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.entry_leader.elf.architecture +process.group_leader.entity_id: + dashed_name: process-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.group_leader.entity_id ignore_above: 1024 level: extended - name: architecture + name: entity_id normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: process + short: Unique identifier for the process. type: keyword -process.entry_leader.elf.byte_order: - dashed_name: process-entry-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.entry_leader.elf.byte_order +process.group_leader.executable: + dashed_name: process-group-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.group_leader.executable ignore_above: 1024 level: extended - name: byte_order + multi_fields: + - flat_name: process.group_leader.executable.text + name: text + type: match_only_text + name: executable normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: process + short: Absolute path to the process executable. type: keyword -process.entry_leader.elf.cpu_type: - dashed_name: process-entry-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.entry_leader.elf.cpu_type +process.group_leader.group.id: + dashed_name: process-group-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.group.id ignore_above: 1024 level: extended - name: cpu_type + name: id normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.elf.creation_date: - dashed_name: process-entry-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.entry_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.entry_leader.elf.exports: - dashed_name: process-entry-leader-elf-exports - description: List of exported element names and types. - flat_name: process.entry_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.entry_leader.elf.go_import_hash: - dashed_name: process-entry-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.elf.go_import_hash +process.group_leader.group.name: + dashed_name: process-group-leader-group-name + description: Name of the group. + flat_name: process.group_leader.group.name ignore_above: 1024 level: extended - name: go_import_hash + name: name normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. + original_fieldset: group + short: Name of the group. type: keyword -process.entry_leader.elf.go_imports: - dashed_name: process-entry-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.elf.go_imports +process.group_leader.interactive: + dashed_name: process-group-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.group_leader.interactive level: extended - name: go_imports + name: interactive normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.entry_leader.elf.go_imports_names_entropy: - dashed_name: process-entry-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.elf.go_imports_names_entropy - format: number + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.group_leader.name: + dashed_name: process-group-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.group_leader.name + ignore_above: 1024 level: extended - name: go_imports_names_entropy + multi_fields: + - flat_name: process.group_leader.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.elf.go_imports_names_var_entropy: - dashed_name: process-entry-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy + original_fieldset: process + short: Process name. + type: keyword +process.group_leader.pid: + dashed_name: process-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.group_leader.pid + format: string + level: core + name: pid normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. + original_fieldset: process + otel: + - relation: match + stability: development + short: Process id. type: long -process.entry_leader.elf.go_stripped: - dashed_name: process-entry-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.elf.go_stripped +process.group_leader.real_group.id: + dashed_name: process-group-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.real_group.id + ignore_above: 1024 level: extended - name: go_stripped + name: id normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.entry_leader.elf.header.abi_version: - dashed_name: process-entry-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.entry_leader.elf.header.abi_version + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.group_leader.real_group.name: + dashed_name: process-group-leader-real-group-name + description: Name of the group. + flat_name: process.group_leader.real_group.name ignore_above: 1024 level: extended - name: header.abi_version + name: name normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: group + short: Name of the group. type: keyword -process.entry_leader.elf.header.class: - dashed_name: process-entry-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.entry_leader.elf.header.class +process.group_leader.real_user.id: + dashed_name: process-group-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.real_user.id ignore_above: 1024 - level: extended - name: header.class + level: core + name: id normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: user + short: Unique identifier of the user. type: keyword -process.entry_leader.elf.header.data: - dashed_name: process-entry-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.entry_leader.elf.header.data +process.group_leader.real_user.name: + dashed_name: process-group-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.real_user.name ignore_above: 1024 - level: extended - name: header.data + level: core + multi_fields: + - flat_name: process.group_leader.real_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: user + short: Short name or login of the user. type: keyword -process.entry_leader.elf.header.entrypoint: - dashed_name: process-entry-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.entry_leader.elf.header.entrypoint - format: string +process.group_leader.same_as_process: + dashed_name: process-group-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.group_leader.same_as_process level: extended - name: header.entrypoint + name: same_as_process normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.entry_leader.elf.header.object_version: - dashed_name: process-entry-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.entry_leader.elf.header.object_version + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.group_leader.saved_group.id: + dashed_name: process-group-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.saved_group.id ignore_above: 1024 level: extended - name: header.object_version + name: id normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.elf.header.os_abi: - dashed_name: process-entry-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.entry_leader.elf.header.os_abi +process.group_leader.saved_group.name: + dashed_name: process-group-leader-saved-group-name + description: Name of the group. + flat_name: process.group_leader.saved_group.name ignore_above: 1024 level: extended - name: header.os_abi + name: name normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: group + short: Name of the group. type: keyword -process.entry_leader.elf.header.type: - dashed_name: process-entry-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.entry_leader.elf.header.type +process.group_leader.saved_user.id: + dashed_name: process-group-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.saved_user.id ignore_above: 1024 - level: extended - name: header.type + level: core + name: id normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: user + short: Unique identifier of the user. type: keyword -process.entry_leader.elf.header.version: - dashed_name: process-entry-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.entry_leader.elf.header.version +process.group_leader.saved_user.name: + dashed_name: process-group-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.saved_user.name ignore_above: 1024 - level: extended - name: header.version + level: core + multi_fields: + - flat_name: process.group_leader.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: user + short: Short name or login of the user. type: keyword -process.entry_leader.elf.import_hash: - dashed_name: process-entry-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.elf.import_hash +process.group_leader.start: + dashed_name: process-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.group_leader.supplemental_groups.id: + dashed_name: process-group-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.supplemental_groups.id ignore_above: 1024 level: extended - name: import_hash + name: id normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.elf.imports: - dashed_name: process-entry-leader-elf-imports - description: List of imported element names and types. - flat_name: process.entry_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.entry_leader.elf.imports_names_entropy: - dashed_name: process-entry-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.elf.imports_names_entropy - format: number +process.group_leader.supplemental_groups.name: + dashed_name: process-group-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.group_leader.supplemental_groups.name + ignore_above: 1024 level: extended - name: imports_names_entropy + name: name normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.entry_leader.elf.imports_names_var_entropy: - dashed_name: process-entry-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.elf.imports_names_var_entropy - format: number + original_fieldset: group + short: Name of the group. + type: keyword +process.group_leader.tty: + dashed_name: process-group-leader-tty + description: Information about the controlling TTY device. If set, the process belongs + to an interactive session. + flat_name: process.group_leader.tty level: extended - name: imports_names_var_entropy + name: tty normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.entry_leader.elf.sections: - dashed_name: process-entry-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.entry_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.entry_leader.elf.sections.chi2: - dashed_name: process-entry-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.entry_leader.elf.sections.chi2 - format: number + original_fieldset: process + short: Information about the controlling TTY device. + type: object +process.group_leader.tty.char_device.major: + dashed_name: process-group-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.group_leader.tty.char_device.major level: extended - name: sections.chi2 + name: tty.char_device.major normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. + original_fieldset: process + short: The TTY character device's major number. type: long -process.entry_leader.elf.sections.entropy: - dashed_name: process-entry-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.elf.sections.entropy - format: number +process.group_leader.tty.char_device.minor: + dashed_name: process-group-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to the + driver. It is common for a driver to control several devices; the minor number + provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.group_leader.tty.char_device.minor level: extended - name: sections.entropy + name: tty.char_device.minor normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. + original_fieldset: process + short: The TTY character device's minor number. type: long -process.entry_leader.elf.sections.flags: - dashed_name: process-entry-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.entry_leader.elf.sections.flags +process.group_leader.user.id: + dashed_name: process-group-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.user.id ignore_above: 1024 - level: extended - name: sections.flags + level: core + name: id normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: user + short: Unique identifier of the user. type: keyword -process.entry_leader.elf.sections.name: - dashed_name: process-entry-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.entry_leader.elf.sections.name +process.group_leader.user.name: + dashed_name: process-group-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.user.name ignore_above: 1024 - level: extended - name: sections.name + level: core + multi_fields: + - flat_name: process.group_leader.user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: user + short: Short name or login of the user. type: keyword -process.entry_leader.elf.sections.physical_offset: - dashed_name: process-entry-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.entry_leader.elf.sections.physical_offset +process.group_leader.vpid: + dashed_name: process-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.group_leader.working_directory: + dashed_name: process-group-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.group_leader.working_directory ignore_above: 1024 level: extended - name: sections.physical_offset + multi_fields: + - flat_name: process.group_leader.working_directory.text + name: text + type: match_only_text + name: working_directory normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: process + short: The working directory of the process. type: keyword -process.entry_leader.elf.sections.physical_size: - dashed_name: process-entry-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.entry_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.entry_leader.elf.sections.type: - dashed_name: process-entry-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.entry_leader.elf.sections.type +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash ignore_above: 1024 level: extended - name: sections.type + name: cdhash normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. type: keyword -process.entry_leader.elf.sections.var_entropy: - dashed_name: process-entry-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.elf.sections.var_entropy - format: number +process.hash.md5: + dashed_name: process-hash-md5 + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 level: extended - name: sections.var_entropy + name: md5 normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.entry_leader.elf.sections.virtual_address: - dashed_name: process-entry-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.entry_leader.elf.sections.virtual_address - format: string + original_fieldset: hash + short: MD5 hash. + type: keyword +process.hash.sha1: + dashed_name: process-hash-sha1 + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 level: extended - name: sections.virtual_address + name: sha1 normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.entry_leader.elf.sections.virtual_size: - dashed_name: process-entry-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.entry_leader.elf.sections.virtual_size - format: string + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.hash.sha256: + dashed_name: process-hash-sha256 + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 level: extended - name: sections.virtual_size + name: sha256 normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.entry_leader.elf.segments: - dashed_name: process-entry-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.entry_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.entry_leader.elf.segments.sections: - dashed_name: process-entry-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.entry_leader.elf.segments.sections + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.hash.sha384: + dashed_name: process-hash-sha384 + description: SHA384 hash. + flat_name: process.hash.sha384 ignore_above: 1024 level: extended - name: segments.sections + name: sha384 normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: hash + short: SHA384 hash. type: keyword -process.entry_leader.elf.segments.type: - dashed_name: process-entry-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.entry_leader.elf.segments.type +process.hash.sha512: + dashed_name: process-hash-sha512 + description: SHA512 hash. + flat_name: process.hash.sha512 ignore_above: 1024 level: extended - name: segments.type + name: sha512 normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: hash + short: SHA512 hash. type: keyword -process.entry_leader.elf.shared_libraries: - dashed_name: process-entry-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.entry_leader.elf.shared_libraries +process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep ignore_above: 1024 level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. type: keyword -process.entry_leader.elf.telfhash: - dashed_name: process-entry-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.entry_leader.elf.telfhash +process.hash.tlsh: + dashed_name: process-hash-tlsh + description: TLSH hash. + flat_name: process.hash.tlsh ignore_above: 1024 level: extended - name: telfhash + name: tlsh normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: hash + short: TLSH hash. type: keyword -process.entry_leader.end: - dashed_name: process-entry-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.end +process.interactive: + dashed_name: process-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.interactive level: extended - name: end + name: interactive normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.entry_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.entry_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.entry_leader.entity_id: - dashed_name: process-entry-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.entry_leader.entry_meta.source.address: - dashed_name: process-entry-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.entry_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.entry_leader.entry_meta.source.as.number: - dashed_name: process-entry-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.entry_leader.entry_meta.source.as.organization.name: - dashed_name: process-entry-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.entry_leader.entry_meta.source.bytes: - dashed_name: process-entry-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.entry_leader.entry_meta.source.domain: - dashed_name: process-entry-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.entry_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.entry_leader.entry_meta.source.geo.city_name: - dashed_name: process-entry-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.entry_leader.entry_meta.source.geo.continent_code: - dashed_name: process-entry-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.entry_leader.entry_meta.source.geo.continent_name: - dashed_name: process-entry-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.entry_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.entry_leader.entry_meta.source.geo.country_name: - dashed_name: process-entry-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.entry_leader.entry_meta.source.geo.location: - dashed_name: process-entry-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.entry_leader.entry_meta.source.geo.name: - dashed_name: process-entry-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.entry_leader.entry_meta.source.geo.postal_code: - dashed_name: process-entry-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.entry_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.entry_leader.entry_meta.source.geo.region_name: - dashed_name: process-entry-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.entry_leader.entry_meta.source.geo.timezone: - dashed_name: process-entry-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.entry_leader.entry_meta.source.ip: - dashed_name: process-entry-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.entry_leader.entry_meta.source.mac: - dashed_name: process-entry-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.entry_leader.entry_meta.source.nat.ip: - dashed_name: process-entry-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.entry_leader.entry_meta.source.nat.port: - dashed_name: process-entry-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.entry_leader.entry_meta.source.packets: - dashed_name: process-entry-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.entry_leader.entry_meta.source.port: - dashed_name: process-entry-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.entry_leader.entry_meta.source.registered_domain: - dashed_name: process-entry-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.entry_leader.entry_meta.source.subdomain: - dashed_name: process-entry-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.entry_leader.entry_meta.source.top_level_domain: - dashed_name: process-entry-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.entry_leader.entry_meta.type: - dashed_name: process-entry-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.entry_leader.env_vars: - dashed_name: process-entry-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.entry_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.entry_leader.executable: - dashed_name: process-entry-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.entry_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.entry_leader.exit_code: - dashed_name: process-entry-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.entry_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.entry_leader.group.domain: - dashed_name: process-entry-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.group.id: - dashed_name: process-entry-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.group.name: - dashed_name: process-entry-leader-group-name - description: Name of the group. - flat_name: process.entry_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.entry_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.entry_leader.hash.md5: - dashed_name: process-entry-leader-hash-md5 - description: MD5 hash. - flat_name: process.entry_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.entry_leader.hash.sha1: - dashed_name: process-entry-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.entry_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.entry_leader.hash.sha256: - dashed_name: process-entry-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.entry_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.entry_leader.hash.sha384: - dashed_name: process-entry-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.entry_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.entry_leader.hash.sha512: - dashed_name: process-entry-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.entry_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.entry_leader.hash.ssdeep: - dashed_name: process-entry-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.entry_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.entry_leader.hash.tlsh: - dashed_name: process-entry-leader-hash-tlsh - description: TLSH hash. - flat_name: process.entry_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.entry_leader.interactive: - dashed_name: process-entry-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.entry_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process + otel: + - relation: match + stability: development short: Whether the process is connected to an interactive shell. type: boolean -process.entry_leader.io: - dashed_name: process-entry-leader-io +process.io: + dashed_name: process-io description: 'A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input.' - flat_name: process.entry_leader.io + flat_name: process.io level: extended name: io normalize: [] - original_fieldset: process short: A chunk of input or output (IO) from a single process. type: object -process.entry_leader.io.bytes_skipped: - dashed_name: process-entry-leader-io-bytes-skipped +process.io.bytes_skipped: + dashed_name: process-io-bytes-skipped description: An array of byte offsets and lengths denoting where IO data has been skipped. - flat_name: process.entry_leader.io.bytes_skipped + flat_name: process.io.bytes_skipped level: extended name: io.bytes_skipped normalize: - array - original_fieldset: process short: An array of byte offsets and lengths denoting where IO data has been skipped. type: object -process.entry_leader.io.bytes_skipped.length: - dashed_name: process-entry-leader-io-bytes-skipped-length +process.io.bytes_skipped.length: + dashed_name: process-io-bytes-skipped-length description: The length of bytes skipped. - flat_name: process.entry_leader.io.bytes_skipped.length + flat_name: process.io.bytes_skipped.length level: extended name: io.bytes_skipped.length normalize: [] - original_fieldset: process short: The length of bytes skipped. type: long -process.entry_leader.io.bytes_skipped.offset: - dashed_name: process-entry-leader-io-bytes-skipped-offset +process.io.bytes_skipped.offset: + dashed_name: process-io-bytes-skipped-offset description: The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. - flat_name: process.entry_leader.io.bytes_skipped.offset + flat_name: process.io.bytes_skipped.offset level: extended name: io.bytes_skipped.offset normalize: [] - original_fieldset: process short: The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. type: long -process.entry_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded +process.io.max_bytes_per_process_exceeded: + dashed_name: process-io-max-bytes-per-process-exceeded description: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. - flat_name: process.entry_leader.io.max_bytes_per_process_exceeded + flat_name: process.io.max_bytes_per_process_exceeded level: extended name: io.max_bytes_per_process_exceeded normalize: [] - original_fieldset: process short: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. type: boolean -process.entry_leader.io.text: - dashed_name: process-entry-leader-io-text +process.io.text: + dashed_name: process-io-text description: 'A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.entry_leader.io.text + flat_name: process.io.text level: extended name: io.text normalize: [] - original_fieldset: process short: A chunk of output or input sanitized to UTF-8. type: wildcard -process.entry_leader.io.total_bytes_captured: - dashed_name: process-entry-leader-io-total-bytes-captured +process.io.total_bytes_captured: + dashed_name: process-io-total-bytes-captured description: The total number of bytes captured in this event. - flat_name: process.entry_leader.io.total_bytes_captured + flat_name: process.io.total_bytes_captured level: extended name: io.total_bytes_captured normalize: [] - original_fieldset: process short: The total number of bytes captured in this event. type: long -process.entry_leader.io.total_bytes_skipped: - dashed_name: process-entry-leader-io-total-bytes-skipped +process.io.total_bytes_skipped: + dashed_name: process-io-total-bytes-skipped description: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero - flat_name: process.entry_leader.io.total_bytes_skipped + flat_name: process.io.total_bytes_skipped level: extended name: io.total_bytes_skipped normalize: [] - original_fieldset: process short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. type: long -process.entry_leader.io.type: - dashed_name: process-entry-leader-io-type +process.io.type: + dashed_name: process-io-type description: 'The type of object on which the IO action (read or write) was taken. Currently only ''tty'' is supported. Other types may be added in the future for ''file'' and ''socket'' support.' - flat_name: process.entry_leader.io.type + flat_name: process.io.type ignore_above: 1024 level: extended name: io.type normalize: [] - original_fieldset: process short: The type of object on which the IO action (read or write) was taken. type: keyword -process.entry_leader.macho.go_import_hash: - dashed_name: process-entry-leader-macho-go-import-hash +process.macho.go_import_hash: + dashed_name: process-macho-go-import-hash description: 'A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -13460,7 +11839,7 @@ process.entry_leader.macho.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.macho.go_import_hash + flat_name: process.macho.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -13468,20 +11847,20 @@ process.entry_leader.macho.go_import_hash: original_fieldset: macho short: A hash of the Go language imports in a Mach-O file. type: keyword -process.entry_leader.macho.go_imports: - dashed_name: process-entry-leader-macho-go-imports +process.macho.go_imports: + dashed_name: process-macho-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.macho.go_imports + flat_name: process.macho.go_imports level: extended name: go_imports normalize: [] original_fieldset: macho short: List of imported Go language element names and types. type: flattened -process.entry_leader.macho.go_imports_names_entropy: - dashed_name: process-entry-leader-macho-go-imports-names-entropy +process.macho.go_imports_names_entropy: + dashed_name: process-macho-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.macho.go_imports_names_entropy + flat_name: process.macho.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -13489,10 +11868,10 @@ process.entry_leader.macho.go_imports_names_entropy: original_fieldset: macho short: Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.macho.go_imports_names_var_entropy: - dashed_name: process-entry-leader-macho-go-imports-names-var-entropy +process.macho.go_imports_names_var_entropy: + dashed_name: process-macho-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.macho.go_imports_names_var_entropy + flat_name: process.macho.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -13500,26 +11879,26 @@ process.entry_leader.macho.go_imports_names_var_entropy: original_fieldset: macho short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.macho.go_stripped: - dashed_name: process-entry-leader-macho-go-stripped +process.macho.go_stripped: + dashed_name: process-macho-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.macho.go_stripped + flat_name: process.macho.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: macho short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.entry_leader.macho.import_hash: - dashed_name: process-entry-leader-macho-import-hash +process.macho.import_hash: + dashed_name: process-macho-import-hash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.macho.import_hash + flat_name: process.macho.import_hash ignore_above: 1024 level: extended name: import_hash @@ -13527,10 +11906,10 @@ process.entry_leader.macho.import_hash: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword -process.entry_leader.macho.imports: - dashed_name: process-entry-leader-macho-imports +process.macho.imports: + dashed_name: process-macho-imports description: List of imported element names and types. - flat_name: process.entry_leader.macho.imports + flat_name: process.macho.imports level: extended name: imports normalize: @@ -13538,11 +11917,11 @@ process.entry_leader.macho.imports: original_fieldset: macho short: List of imported element names and types. type: flattened -process.entry_leader.macho.imports_names_entropy: - dashed_name: process-entry-leader-macho-imports-names-entropy +process.macho.imports_names_entropy: + dashed_name: process-macho-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.macho.imports_names_entropy + flat_name: process.macho.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -13550,11 +11929,11 @@ process.entry_leader.macho.imports_names_entropy: original_fieldset: macho short: Shannon entropy calculation from the list of imported element names and types. type: long -process.entry_leader.macho.imports_names_var_entropy: - dashed_name: process-entry-leader-macho-imports-names-var-entropy +process.macho.imports_names_var_entropy: + dashed_name: process-macho-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.macho.imports_names_var_entropy + flat_name: process.macho.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -13563,13 +11942,13 @@ process.entry_leader.macho.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.entry_leader.macho.sections: - dashed_name: process-entry-leader-macho-sections +process.macho.sections: + dashed_name: process-macho-sections description: 'An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.' - flat_name: process.entry_leader.macho.sections + flat_name: process.macho.sections level: extended name: sections normalize: @@ -13577,10 +11956,10 @@ process.entry_leader.macho.sections: original_fieldset: macho short: Section information of the Mach-O file. type: nested -process.entry_leader.macho.sections.entropy: - dashed_name: process-entry-leader-macho-sections-entropy +process.macho.sections.entropy: + dashed_name: process-macho-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.macho.sections.entropy + flat_name: process.macho.sections.entropy format: number level: extended name: sections.entropy @@ -13588,10 +11967,10 @@ process.entry_leader.macho.sections.entropy: original_fieldset: macho short: Shannon entropy calculation from the section. type: long -process.entry_leader.macho.sections.name: - dashed_name: process-entry-leader-macho-sections-name +process.macho.sections.name: + dashed_name: process-macho-sections-name description: Mach-O Section List name. - flat_name: process.entry_leader.macho.sections.name + flat_name: process.macho.sections.name ignore_above: 1024 level: extended name: sections.name @@ -13599,10 +11978,10 @@ process.entry_leader.macho.sections.name: original_fieldset: macho short: Mach-O Section List name. type: keyword -process.entry_leader.macho.sections.physical_size: - dashed_name: process-entry-leader-macho-sections-physical-size +process.macho.sections.physical_size: + dashed_name: process-macho-sections-physical-size description: Mach-O Section List physical size. - flat_name: process.entry_leader.macho.sections.physical_size + flat_name: process.macho.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -13610,10 +11989,10 @@ process.entry_leader.macho.sections.physical_size: original_fieldset: macho short: Mach-O Section List physical size. type: long -process.entry_leader.macho.sections.var_entropy: - dashed_name: process-entry-leader-macho-sections-var-entropy +process.macho.sections.var_entropy: + dashed_name: process-macho-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.macho.sections.var_entropy + flat_name: process.macho.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -13621,10 +12000,10 @@ process.entry_leader.macho.sections.var_entropy: original_fieldset: macho short: Variance for Shannon entropy calculation from the section. type: long -process.entry_leader.macho.sections.virtual_size: - dashed_name: process-entry-leader-macho-sections-virtual-size +process.macho.sections.virtual_size: + dashed_name: process-macho-sections-virtual-size description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.macho.sections.virtual_size + flat_name: process.macho.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -13632,15 +12011,15 @@ process.entry_leader.macho.sections.virtual_size: original_fieldset: macho short: Mach-O Section List virtual size. This is always the same as `physical_size`. type: long -process.entry_leader.macho.symhash: - dashed_name: process-entry-leader-macho-symhash +process.macho.symhash: + dashed_name: process-macho-symhash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash' example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.entry_leader.macho.symhash + flat_name: process.macho.symhash ignore_above: 1024 level: extended name: symhash @@ -13648,58 +12027,31 @@ process.entry_leader.macho.symhash: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword -process.entry_leader.name: - dashed_name: process-entry-leader-name +process.name: + dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh - flat_name: process.entry_leader.name + flat_name: process.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.name.text + - flat_name: process.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: process short: Process name. type: keyword -process.entry_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.entry_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.entry_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.entry_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.entry_leader.parent.args: - dashed_name: process-entry-leader-parent-args +process.parent.args: + dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.entry_leader.parent.args + flat_name: process.parent.args ignore_above: 1024 level: extended name: args @@ -13708,533 +12060,29 @@ process.entry_leader.parent.args: original_fieldset: process short: Array of process arguments. type: keyword -process.entry_leader.parent.args_count: - dashed_name: process-entry-leader-parent-args-count +process.parent.args_count: + dashed_name: process-parent-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 - flat_name: process.entry_leader.parent.args_count + flat_name: process.parent.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long -process.entry_leader.parent.attested_groups.domain: - dashed_name: process-entry-leader-parent-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.attested_groups.id: - dashed_name: process-entry-leader-parent-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.attested_groups.name: - dashed_name: process-entry-leader-parent-attested-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.attested_user.domain: - dashed_name: process-entry-leader-parent-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.attested_user.email: - dashed_name: process-entry-leader-parent-attested-user-email - description: User email address. - flat_name: process.entry_leader.parent.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.attested_user.entity.id: - dashed_name: process-entry-leader-parent-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.attested_user.full_name: - dashed_name: process-entry-leader-parent-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.attested_user.group.domain: - dashed_name: process-entry-leader-parent-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.attested_user.group.id: - dashed_name: process-entry-leader-parent-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.attested_user.group.name: - dashed_name: process-entry-leader-parent-attested-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.attested_user.hash: - dashed_name: process-entry-leader-parent-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.attested_user.id: - dashed_name: process-entry-leader-parent-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.attested_user.name: - dashed_name: process-entry-leader-parent-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.attested_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.attested_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.attested_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.attested_user.risk.static_level: - dashed_name: process-entry-leader-parent-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.attested_user.risk.static_score: - dashed_name: process-entry-leader-parent-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.attested_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.attested_user.roles: - dashed_name: process-entry-leader-parent-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.code_signature.digest_algorithm: - dashed_name: process-entry-leader-parent-code-signature-digest-algorithm +process.parent.code_signature.digest_algorithm: + dashed_name: process-parent-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.' example: sha256 - flat_name: process.entry_leader.parent.code_signature.digest_algorithm + flat_name: process.parent.code_signature.digest_algorithm ignore_above: 1024 level: extended name: digest_algorithm @@ -14242,23 +12090,23 @@ process.entry_leader.parent.code_signature.digest_algorithm: original_fieldset: code_signature short: Hashing algorithm used to sign the process. type: keyword -process.entry_leader.parent.code_signature.exists: - dashed_name: process-entry-leader-parent-code-signature-exists +process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: process.entry_leader.parent.code_signature.exists + flat_name: process.parent.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean -process.entry_leader.parent.code_signature.flags: +process.parent.code_signature.flags: beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-code-signature-flags + dashed_name: process-parent-code-signature-flags description: The flags used to sign the process. example: 570522385 - flat_name: process.entry_leader.parent.code_signature.flags + flat_name: process.parent.code_signature.flags ignore_above: 1024 level: extended name: flags @@ -14266,14 +12114,14 @@ process.entry_leader.parent.code_signature.flags: original_fieldset: code_signature short: Code signing flags of the process type: keyword -process.entry_leader.parent.code_signature.signing_id: - dashed_name: process-entry-leader-parent-code-signature-signing-id +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: process.entry_leader.parent.code_signature.signing_id + flat_name: process.parent.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -14281,15 +12129,15 @@ process.entry_leader.parent.code_signature.signing_id: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword -process.entry_leader.parent.code_signature.status: - dashed_name: process-entry-leader-parent-code-signature-status +process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: process.entry_leader.parent.code_signature.status + flat_name: process.parent.code_signature.status ignore_above: 1024 level: extended name: status @@ -14297,11 +12145,11 @@ process.entry_leader.parent.code_signature.status: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword -process.entry_leader.parent.code_signature.subject_name: - dashed_name: process-entry-leader-parent-code-signature-subject-name +process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: process.entry_leader.parent.code_signature.subject_name + flat_name: process.parent.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -14309,14 +12157,14 @@ process.entry_leader.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword -process.entry_leader.parent.code_signature.team_id: - dashed_name: process-entry-leader-parent-code-signature-team-id +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: process.entry_leader.parent.code_signature.team_id + flat_name: process.parent.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -14324,12 +12172,12 @@ process.entry_leader.parent.code_signature.team_id: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword -process.entry_leader.parent.code_signature.thumbprint_sha256: +process.parent.code_signature.thumbprint_sha256: beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256 + dashed_name: process-parent-code-signature-thumbprint-sha256 description: Certificate SHA256 hash that uniquely identifies the code signer. example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256 + flat_name: process.parent.code_signature.thumbprint_sha256 ignore_above: 64 level: extended name: thumbprint_sha256 @@ -14338,39 +12186,39 @@ process.entry_leader.parent.code_signature.thumbprint_sha256: pattern: ^[0-9a-f]{64}$ short: SHA256 hash of the certificate. type: keyword -process.entry_leader.parent.code_signature.timestamp: - dashed_name: process-entry-leader-parent-code-signature-timestamp +process.parent.code_signature.timestamp: + dashed_name: process-parent-code-signature-timestamp description: Date and time when the code signature was generated and signed. example: '2021-01-01T12:10:30Z' - flat_name: process.entry_leader.parent.code_signature.timestamp + flat_name: process.parent.code_signature.timestamp level: extended name: timestamp normalize: [] original_fieldset: code_signature short: When the signature was generated and signed. type: date -process.entry_leader.parent.code_signature.trusted: - dashed_name: process-entry-leader-parent-code-signature-trusted +process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: process.entry_leader.parent.code_signature.trusted + flat_name: process.parent.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean -process.entry_leader.parent.code_signature.valid: - dashed_name: process-entry-leader-parent-code-signature-valid +process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: process.entry_leader.parent.code_signature.valid + flat_name: process.parent.code_signature.valid level: extended name: valid normalize: [] @@ -14378,17 +12226,17 @@ process.entry_leader.parent.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean -process.entry_leader.parent.command_line: - dashed_name: process-entry-leader-parent-command-line +process.parent.command_line: + dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.parent.command_line + flat_name: process.parent.command_line level: extended multi_fields: - - flat_name: process.entry_leader.parent.command_line.text + - flat_name: process.parent.command_line.text name: text type: match_only_text name: command_line @@ -14396,11 +12244,11 @@ process.entry_leader.parent.command_line: original_fieldset: process short: Full command line that started the process. type: wildcard -process.entry_leader.parent.elf.architecture: - dashed_name: process-entry-leader-parent-elf-architecture +process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: process.entry_leader.parent.elf.architecture + flat_name: process.parent.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -14408,11 +12256,11 @@ process.entry_leader.parent.elf.architecture: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword -process.entry_leader.parent.elf.byte_order: - dashed_name: process-entry-leader-parent-elf-byte-order +process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: process.entry_leader.parent.elf.byte_order + flat_name: process.parent.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -14420,11 +12268,11 @@ process.entry_leader.parent.elf.byte_order: original_fieldset: elf short: Byte sequence of ELF file. type: keyword -process.entry_leader.parent.elf.cpu_type: - dashed_name: process-entry-leader-parent-elf-cpu-type +process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: process.entry_leader.parent.elf.cpu_type + flat_name: process.parent.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -14432,21 +12280,21 @@ process.entry_leader.parent.elf.cpu_type: original_fieldset: elf short: CPU type of the ELF file. type: keyword -process.entry_leader.parent.elf.creation_date: - dashed_name: process-entry-leader-parent-elf-creation-date +process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: process.entry_leader.parent.elf.creation_date + flat_name: process.parent.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date -process.entry_leader.parent.elf.exports: - dashed_name: process-entry-leader-parent-elf-exports +process.parent.elf.exports: + dashed_name: process-parent-elf-exports description: List of exported element names and types. - flat_name: process.entry_leader.parent.elf.exports + flat_name: process.parent.elf.exports level: extended name: exports normalize: @@ -14454,8 +12302,8 @@ process.entry_leader.parent.elf.exports: original_fieldset: elf short: List of exported element names and types. type: flattened -process.entry_leader.parent.elf.go_import_hash: - dashed_name: process-entry-leader-parent-elf-go-import-hash +process.parent.elf.go_import_hash: + dashed_name: process-parent-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -14464,7 +12312,7 @@ process.entry_leader.parent.elf.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.elf.go_import_hash + flat_name: process.parent.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -14472,20 +12320,20 @@ process.entry_leader.parent.elf.go_import_hash: original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword -process.entry_leader.parent.elf.go_imports: - dashed_name: process-entry-leader-parent-elf-go-imports +process.parent.elf.go_imports: + dashed_name: process-parent-elf-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.elf.go_imports + flat_name: process.parent.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened -process.entry_leader.parent.elf.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy +process.parent.elf.go_imports_names_entropy: + dashed_name: process-parent-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.elf.go_imports_names_entropy + flat_name: process.parent.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -14493,10 +12341,10 @@ process.entry_leader.parent.elf.go_imports_names_entropy: original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.parent.elf.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy +process.parent.elf.go_imports_names_var_entropy: + dashed_name: process-parent-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy + flat_name: process.parent.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -14504,21 +12352,21 @@ process.entry_leader.parent.elf.go_imports_names_var_entropy: original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.parent.elf.go_stripped: - dashed_name: process-entry-leader-parent-elf-go-stripped +process.parent.elf.go_stripped: + dashed_name: process-parent-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.elf.go_stripped + flat_name: process.parent.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.entry_leader.parent.elf.header.abi_version: - dashed_name: process-entry-leader-parent-elf-header-abi-version +process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.entry_leader.parent.elf.header.abi_version + flat_name: process.parent.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -14526,10 +12374,10 @@ process.entry_leader.parent.elf.header.abi_version: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword -process.entry_leader.parent.elf.header.class: - dashed_name: process-entry-leader-parent-elf-header-class +process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class description: Header class of the ELF file. - flat_name: process.entry_leader.parent.elf.header.class + flat_name: process.parent.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -14537,10 +12385,10 @@ process.entry_leader.parent.elf.header.class: original_fieldset: elf short: Header class of the ELF file. type: keyword -process.entry_leader.parent.elf.header.data: - dashed_name: process-entry-leader-parent-elf-header-data +process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data description: Data table of the ELF header. - flat_name: process.entry_leader.parent.elf.header.data + flat_name: process.parent.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -14548,10 +12396,10 @@ process.entry_leader.parent.elf.header.data: original_fieldset: elf short: Data table of the ELF header. type: keyword -process.entry_leader.parent.elf.header.entrypoint: - dashed_name: process-entry-leader-parent-elf-header-entrypoint +process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: process.entry_leader.parent.elf.header.entrypoint + flat_name: process.parent.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -14559,10 +12407,10 @@ process.entry_leader.parent.elf.header.entrypoint: original_fieldset: elf short: Header entrypoint of the ELF file. type: long -process.entry_leader.parent.elf.header.object_version: - dashed_name: process-entry-leader-parent-elf-header-object-version +process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: process.entry_leader.parent.elf.header.object_version + flat_name: process.parent.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -14570,10 +12418,10 @@ process.entry_leader.parent.elf.header.object_version: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword -process.entry_leader.parent.elf.header.os_abi: - dashed_name: process-entry-leader-parent-elf-header-os-abi +process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.entry_leader.parent.elf.header.os_abi + flat_name: process.parent.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -14581,10 +12429,10 @@ process.entry_leader.parent.elf.header.os_abi: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword -process.entry_leader.parent.elf.header.type: - dashed_name: process-entry-leader-parent-elf-header-type +process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type description: Header type of the ELF file. - flat_name: process.entry_leader.parent.elf.header.type + flat_name: process.parent.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -14592,10 +12440,10 @@ process.entry_leader.parent.elf.header.type: original_fieldset: elf short: Header type of the ELF file. type: keyword -process.entry_leader.parent.elf.header.version: - dashed_name: process-entry-leader-parent-elf-header-version +process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version description: Version of the ELF header. - flat_name: process.entry_leader.parent.elf.header.version + flat_name: process.parent.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -14603,15 +12451,15 @@ process.entry_leader.parent.elf.header.version: original_fieldset: elf short: Version of the ELF header. type: keyword -process.entry_leader.parent.elf.import_hash: - dashed_name: process-entry-leader-parent-elf-import-hash +process.parent.elf.import_hash: + dashed_name: process-parent-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.elf.import_hash + flat_name: process.parent.elf.import_hash ignore_above: 1024 level: extended name: import_hash @@ -14619,10 +12467,10 @@ process.entry_leader.parent.elf.import_hash: original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword -process.entry_leader.parent.elf.imports: - dashed_name: process-entry-leader-parent-elf-imports +process.parent.elf.imports: + dashed_name: process-parent-elf-imports description: List of imported element names and types. - flat_name: process.entry_leader.parent.elf.imports + flat_name: process.parent.elf.imports level: extended name: imports normalize: @@ -14630,11 +12478,11 @@ process.entry_leader.parent.elf.imports: original_fieldset: elf short: List of imported element names and types. type: flattened -process.entry_leader.parent.elf.imports_names_entropy: - dashed_name: process-entry-leader-parent-elf-imports-names-entropy +process.parent.elf.imports_names_entropy: + dashed_name: process-parent-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.elf.imports_names_entropy + flat_name: process.parent.elf.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -14642,11 +12490,11 @@ process.entry_leader.parent.elf.imports_names_entropy: original_fieldset: elf short: Shannon entropy calculation from the list of imported element names and types. type: long -process.entry_leader.parent.elf.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy +process.parent.elf.imports_names_var_entropy: + dashed_name: process-parent-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.elf.imports_names_var_entropy + flat_name: process.parent.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -14655,13 +12503,13 @@ process.entry_leader.parent.elf.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.entry_leader.parent.elf.sections: - dashed_name: process-entry-leader-parent-elf-sections +process.parent.elf.sections: + dashed_name: process-parent-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: process.entry_leader.parent.elf.sections + flat_name: process.parent.elf.sections level: extended name: sections normalize: @@ -14669,10 +12517,10 @@ process.entry_leader.parent.elf.sections: original_fieldset: elf short: Section information of the ELF file. type: nested -process.entry_leader.parent.elf.sections.chi2: - dashed_name: process-entry-leader-parent-elf-sections-chi2 +process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: process.entry_leader.parent.elf.sections.chi2 + flat_name: process.parent.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -14680,10 +12528,10 @@ process.entry_leader.parent.elf.sections.chi2: original_fieldset: elf short: Chi-square probability distribution of the section. type: long -process.entry_leader.parent.elf.sections.entropy: - dashed_name: process-entry-leader-parent-elf-sections-entropy +process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.elf.sections.entropy + flat_name: process.parent.elf.sections.entropy format: number level: extended name: sections.entropy @@ -14691,10 +12539,10 @@ process.entry_leader.parent.elf.sections.entropy: original_fieldset: elf short: Shannon entropy calculation from the section. type: long -process.entry_leader.parent.elf.sections.flags: - dashed_name: process-entry-leader-parent-elf-sections-flags +process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags description: ELF Section List flags. - flat_name: process.entry_leader.parent.elf.sections.flags + flat_name: process.parent.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -14702,10 +12550,10 @@ process.entry_leader.parent.elf.sections.flags: original_fieldset: elf short: ELF Section List flags. type: keyword -process.entry_leader.parent.elf.sections.name: - dashed_name: process-entry-leader-parent-elf-sections-name +process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name description: ELF Section List name. - flat_name: process.entry_leader.parent.elf.sections.name + flat_name: process.parent.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -14713,10 +12561,10 @@ process.entry_leader.parent.elf.sections.name: original_fieldset: elf short: ELF Section List name. type: keyword -process.entry_leader.parent.elf.sections.physical_offset: - dashed_name: process-entry-leader-parent-elf-sections-physical-offset +process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset description: ELF Section List offset. - flat_name: process.entry_leader.parent.elf.sections.physical_offset + flat_name: process.parent.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -14724,10 +12572,10 @@ process.entry_leader.parent.elf.sections.physical_offset: original_fieldset: elf short: ELF Section List offset. type: keyword -process.entry_leader.parent.elf.sections.physical_size: - dashed_name: process-entry-leader-parent-elf-sections-physical-size +process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size description: ELF Section List physical size. - flat_name: process.entry_leader.parent.elf.sections.physical_size + flat_name: process.parent.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -14735,10 +12583,10 @@ process.entry_leader.parent.elf.sections.physical_size: original_fieldset: elf short: ELF Section List physical size. type: long -process.entry_leader.parent.elf.sections.type: - dashed_name: process-entry-leader-parent-elf-sections-type +process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type description: ELF Section List type. - flat_name: process.entry_leader.parent.elf.sections.type + flat_name: process.parent.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -14746,10 +12594,10 @@ process.entry_leader.parent.elf.sections.type: original_fieldset: elf short: ELF Section List type. type: keyword -process.entry_leader.parent.elf.sections.var_entropy: - dashed_name: process-entry-leader-parent-elf-sections-var-entropy +process.parent.elf.sections.var_entropy: + dashed_name: process-parent-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.elf.sections.var_entropy + flat_name: process.parent.elf.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -14757,10 +12605,10 @@ process.entry_leader.parent.elf.sections.var_entropy: original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long -process.entry_leader.parent.elf.sections.virtual_address: - dashed_name: process-entry-leader-parent-elf-sections-virtual-address +process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: process.entry_leader.parent.elf.sections.virtual_address + flat_name: process.parent.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -14768,10 +12616,10 @@ process.entry_leader.parent.elf.sections.virtual_address: original_fieldset: elf short: ELF Section List virtual address. type: long -process.entry_leader.parent.elf.sections.virtual_size: - dashed_name: process-entry-leader-parent-elf-sections-virtual-size +process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: process.entry_leader.parent.elf.sections.virtual_size + flat_name: process.parent.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -14779,13 +12627,13 @@ process.entry_leader.parent.elf.sections.virtual_size: original_fieldset: elf short: ELF Section List virtual size. type: long -process.entry_leader.parent.elf.segments: - dashed_name: process-entry-leader-parent-elf-segments +process.parent.elf.segments: + dashed_name: process-parent-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: process.entry_leader.parent.elf.segments + flat_name: process.parent.elf.segments level: extended name: segments normalize: @@ -14793,10 +12641,10 @@ process.entry_leader.parent.elf.segments: original_fieldset: elf short: ELF object segment list. type: nested -process.entry_leader.parent.elf.segments.sections: - dashed_name: process-entry-leader-parent-elf-segments-sections +process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections description: ELF object segment sections. - flat_name: process.entry_leader.parent.elf.segments.sections + flat_name: process.parent.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -14804,10 +12652,10 @@ process.entry_leader.parent.elf.segments.sections: original_fieldset: elf short: ELF object segment sections. type: keyword -process.entry_leader.parent.elf.segments.type: - dashed_name: process-entry-leader-parent-elf-segments-type +process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type description: ELF object segment type. - flat_name: process.entry_leader.parent.elf.segments.type + flat_name: process.parent.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -14815,10 +12663,10 @@ process.entry_leader.parent.elf.segments.type: original_fieldset: elf short: ELF object segment type. type: keyword -process.entry_leader.parent.elf.shared_libraries: - dashed_name: process-entry-leader-parent-elf-shared-libraries +process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: process.entry_leader.parent.elf.shared_libraries + flat_name: process.parent.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -14827,10 +12675,10 @@ process.entry_leader.parent.elf.shared_libraries: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword -process.entry_leader.parent.elf.telfhash: - dashed_name: process-entry-leader-parent-elf-telfhash +process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: process.entry_leader.parent.elf.telfhash + flat_name: process.parent.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -14838,31 +12686,19 @@ process.entry_leader.parent.elf.telfhash: original_fieldset: elf short: telfhash hash for ELF file. type: keyword -process.entry_leader.parent.end: - dashed_name: process-entry-leader-parent-end +process.parent.end: + dashed_name: process-parent-end description: The time the process ended. example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.end + flat_name: process.parent.end level: extended name: end normalize: [] original_fieldset: process short: The time the process ended. type: date -process.entry_leader.parent.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.entry_leader.parent.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.entry_leader.parent.entity_id: - dashed_name: process-entry-leader-parent-entity-id +process.parent.entity_id: + dashed_name: process-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples @@ -14873,7 +12709,7 @@ process.entry_leader.parent.entity_id: reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d - flat_name: process.entry_leader.parent.entity_id + flat_name: process.parent.entity_id ignore_above: 1024 level: extended name: entity_id @@ -14881,388 +12717,15 @@ process.entry_leader.parent.entity_id: original_fieldset: process short: Unique identifier for the process. type: keyword -process.entry_leader.parent.entry_meta.source.address: - dashed_name: process-entry-leader-parent-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.entry_leader.parent.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.entry_leader.parent.entry_meta.source.as.number: - dashed_name: process-entry-leader-parent-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_leader.parent.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.entry_leader.parent.entry_meta.source.as.organization.name: - dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.entry_leader.parent.entry_meta.source.bytes: - dashed_name: process-entry-leader-parent-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_leader.parent.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.entry_leader.parent.entry_meta.source.domain: - dashed_name: process-entry-leader-parent-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.entry_leader.parent.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.city_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.continent_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.continent_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.country_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.location: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_leader.parent.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.entry_leader.parent.entry_meta.source.geo.name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_leader.parent.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.postal_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.region_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.entry_leader.parent.entry_meta.source.geo.timezone: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.entry_leader.parent.entry_meta.source.ip: - dashed_name: process-entry-leader-parent-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.parent.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.entry_leader.parent.entry_meta.source.mac: - dashed_name: process-entry-leader-parent-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_leader.parent.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.entry_leader.parent.entry_meta.source.nat.ip: - dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.entry_leader.parent.entry_meta.source.nat.port: - dashed_name: process-entry-leader-parent-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.entry_leader.parent.entry_meta.source.packets: - dashed_name: process-entry-leader-parent-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_leader.parent.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.entry_leader.parent.entry_meta.source.port: - dashed_name: process-entry-leader-parent-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_leader.parent.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.entry_leader.parent.entry_meta.source.registered_domain: - dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_leader.parent.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.entry_leader.parent.entry_meta.source.subdomain: - dashed_name: process-entry-leader-parent-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_leader.parent.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.entry_leader.parent.entry_meta.source.top_level_domain: - dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.entry_leader.parent.entry_meta.type: - dashed_name: process-entry-leader-parent-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.parent.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.entry_leader.parent.env_vars: - dashed_name: process-entry-leader-parent-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.entry_leader.parent.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.executable: - dashed_name: process-entry-leader-parent-executable +process.parent.executable: + dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh - flat_name: process.entry_leader.parent.executable + flat_name: process.parent.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.parent.executable.text + - flat_name: process.parent.executable.text name: text type: match_only_text name: executable @@ -15270,37 +12733,24 @@ process.entry_leader.parent.executable: original_fieldset: process short: Absolute path to the process executable. type: keyword -process.entry_leader.parent.exit_code: - dashed_name: process-entry-leader-parent-exit-code +process.parent.exit_code: + dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 - flat_name: process.entry_leader.parent.exit_code + flat_name: process.parent.exit_code level: extended name: exit_code normalize: [] original_fieldset: process short: The exit code of the process. type: long -process.entry_leader.parent.group.domain: - dashed_name: process-entry-leader-parent-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.group.id: - dashed_name: process-entry-leader-parent-group-id +process.parent.group.id: + dashed_name: process-parent-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.group.id + flat_name: process.parent.group.id ignore_above: 1024 level: extended name: id @@ -15308,10 +12758,10 @@ process.entry_leader.parent.group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.entry_leader.parent.group.name: - dashed_name: process-entry-leader-parent-group-name +process.parent.group.name: + dashed_name: process-parent-group-name description: Name of the group. - flat_name: process.entry_leader.parent.group.name + flat_name: process.parent.group.name ignore_above: 1024 level: extended name: name @@ -15319,13 +12769,72 @@ process.entry_leader.parent.group.name: original_fieldset: group short: Name of the group. type: keyword -process.entry_leader.parent.hash.cdhash: +process.parent.group_leader.entity_id: + dashed_name: process-parent-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.parent.group_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.parent.group_leader.pid: + dashed_name: process-parent-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.parent.group_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.parent.group_leader.start: + dashed_name: process-parent-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.parent.group_leader.vpid: + dashed_name: process-parent-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.parent.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.parent.hash.cdhash: beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-hash-cdhash + dashed_name: process-parent-hash-cdhash description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.entry_leader.parent.hash.cdhash + flat_name: process.parent.hash.cdhash ignore_above: 1024 level: extended name: cdhash @@ -15333,10 +12842,10 @@ process.entry_leader.parent.hash.cdhash: original_fieldset: hash short: The Code Directory (CD) hash of an executable. type: keyword -process.entry_leader.parent.hash.md5: - dashed_name: process-entry-leader-parent-hash-md5 +process.parent.hash.md5: + dashed_name: process-parent-hash-md5 description: MD5 hash. - flat_name: process.entry_leader.parent.hash.md5 + flat_name: process.parent.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -15344,10 +12853,10 @@ process.entry_leader.parent.hash.md5: original_fieldset: hash short: MD5 hash. type: keyword -process.entry_leader.parent.hash.sha1: - dashed_name: process-entry-leader-parent-hash-sha1 +process.parent.hash.sha1: + dashed_name: process-parent-hash-sha1 description: SHA1 hash. - flat_name: process.entry_leader.parent.hash.sha1 + flat_name: process.parent.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -15355,10 +12864,10 @@ process.entry_leader.parent.hash.sha1: original_fieldset: hash short: SHA1 hash. type: keyword -process.entry_leader.parent.hash.sha256: - dashed_name: process-entry-leader-parent-hash-sha256 +process.parent.hash.sha256: + dashed_name: process-parent-hash-sha256 description: SHA256 hash. - flat_name: process.entry_leader.parent.hash.sha256 + flat_name: process.parent.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -15366,10 +12875,10 @@ process.entry_leader.parent.hash.sha256: original_fieldset: hash short: SHA256 hash. type: keyword -process.entry_leader.parent.hash.sha384: - dashed_name: process-entry-leader-parent-hash-sha384 +process.parent.hash.sha384: + dashed_name: process-parent-hash-sha384 description: SHA384 hash. - flat_name: process.entry_leader.parent.hash.sha384 + flat_name: process.parent.hash.sha384 ignore_above: 1024 level: extended name: sha384 @@ -15377,10 +12886,10 @@ process.entry_leader.parent.hash.sha384: original_fieldset: hash short: SHA384 hash. type: keyword -process.entry_leader.parent.hash.sha512: - dashed_name: process-entry-leader-parent-hash-sha512 +process.parent.hash.sha512: + dashed_name: process-parent-hash-sha512 description: SHA512 hash. - flat_name: process.entry_leader.parent.hash.sha512 + flat_name: process.parent.hash.sha512 ignore_above: 1024 level: extended name: sha512 @@ -15388,10 +12897,10 @@ process.entry_leader.parent.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword -process.entry_leader.parent.hash.ssdeep: - dashed_name: process-entry-leader-parent-hash-ssdeep +process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep description: SSDEEP hash. - flat_name: process.entry_leader.parent.hash.ssdeep + flat_name: process.parent.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep @@ -15399,10 +12908,10 @@ process.entry_leader.parent.hash.ssdeep: original_fieldset: hash short: SSDEEP hash. type: keyword -process.entry_leader.parent.hash.tlsh: - dashed_name: process-entry-leader-parent-hash-tlsh +process.parent.hash.tlsh: + dashed_name: process-parent-hash-tlsh description: TLSH hash. - flat_name: process.entry_leader.parent.hash.tlsh + flat_name: process.parent.hash.tlsh ignore_above: 1024 level: extended name: tlsh @@ -15410,8 +12919,8 @@ process.entry_leader.parent.hash.tlsh: original_fieldset: hash short: TLSH hash. type: keyword -process.entry_leader.parent.interactive: - dashed_name: process-entry-leader-parent-interactive +process.parent.interactive: + dashed_name: process-parent-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If the @@ -15424,126 +12933,15 @@ process.entry_leader.parent.interactive: is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true - flat_name: process.entry_leader.parent.interactive + flat_name: process.parent.interactive level: extended name: interactive normalize: [] original_fieldset: process short: Whether the process is connected to an interactive shell. type: boolean -process.entry_leader.parent.io: - dashed_name: process-entry-leader-parent-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.entry_leader.parent.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.entry_leader.parent.io.bytes_skipped: - dashed_name: process-entry-leader-parent-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.entry_leader.parent.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.entry_leader.parent.io.bytes_skipped.length: - dashed_name: process-entry-leader-parent-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.entry_leader.parent.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.entry_leader.parent.io.bytes_skipped.offset: - dashed_name: process-entry-leader-parent-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.entry_leader.parent.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.entry_leader.parent.io.max_bytes_per_process_exceeded: - dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.entry_leader.parent.io.text: - dashed_name: process-entry-leader-parent-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.entry_leader.parent.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.entry_leader.parent.io.total_bytes_captured: - dashed_name: process-entry-leader-parent-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.entry_leader.parent.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.entry_leader.parent.io.total_bytes_skipped: - dashed_name: process-entry-leader-parent-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.entry_leader.parent.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.entry_leader.parent.io.type: - dashed_name: process-entry-leader-parent-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.entry_leader.parent.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.entry_leader.parent.macho.go_import_hash: - dashed_name: process-entry-leader-parent-macho-go-import-hash +process.parent.macho.go_import_hash: + dashed_name: process-parent-macho-go-import-hash description: 'A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -15552,7 +12950,7 @@ process.entry_leader.parent.macho.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.macho.go_import_hash + flat_name: process.parent.macho.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -15560,20 +12958,20 @@ process.entry_leader.parent.macho.go_import_hash: original_fieldset: macho short: A hash of the Go language imports in a Mach-O file. type: keyword -process.entry_leader.parent.macho.go_imports: - dashed_name: process-entry-leader-parent-macho-go-imports +process.parent.macho.go_imports: + dashed_name: process-parent-macho-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.macho.go_imports + flat_name: process.parent.macho.go_imports level: extended name: go_imports normalize: [] original_fieldset: macho short: List of imported Go language element names and types. type: flattened -process.entry_leader.parent.macho.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy +process.parent.macho.go_imports_names_entropy: + dashed_name: process-parent-macho-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.macho.go_imports_names_entropy + flat_name: process.parent.macho.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -15581,10 +12979,10 @@ process.entry_leader.parent.macho.go_imports_names_entropy: original_fieldset: macho short: Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.parent.macho.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy +process.parent.macho.go_imports_names_var_entropy: + dashed_name: process-parent-macho-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy + flat_name: process.parent.macho.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -15592,26 +12990,26 @@ process.entry_leader.parent.macho.go_imports_names_var_entropy: original_fieldset: macho short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.parent.macho.go_stripped: - dashed_name: process-entry-leader-parent-macho-go-stripped +process.parent.macho.go_stripped: + dashed_name: process-parent-macho-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.macho.go_stripped + flat_name: process.parent.macho.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: macho short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.entry_leader.parent.macho.import_hash: - dashed_name: process-entry-leader-parent-macho-import-hash +process.parent.macho.import_hash: + dashed_name: process-parent-macho-import-hash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.macho.import_hash + flat_name: process.parent.macho.import_hash ignore_above: 1024 level: extended name: import_hash @@ -15619,10 +13017,10 @@ process.entry_leader.parent.macho.import_hash: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword -process.entry_leader.parent.macho.imports: - dashed_name: process-entry-leader-parent-macho-imports +process.parent.macho.imports: + dashed_name: process-parent-macho-imports description: List of imported element names and types. - flat_name: process.entry_leader.parent.macho.imports + flat_name: process.parent.macho.imports level: extended name: imports normalize: @@ -15630,11 +13028,11 @@ process.entry_leader.parent.macho.imports: original_fieldset: macho short: List of imported element names and types. type: flattened -process.entry_leader.parent.macho.imports_names_entropy: - dashed_name: process-entry-leader-parent-macho-imports-names-entropy +process.parent.macho.imports_names_entropy: + dashed_name: process-parent-macho-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.macho.imports_names_entropy + flat_name: process.parent.macho.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -15642,11 +13040,11 @@ process.entry_leader.parent.macho.imports_names_entropy: original_fieldset: macho short: Shannon entropy calculation from the list of imported element names and types. type: long -process.entry_leader.parent.macho.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy +process.parent.macho.imports_names_var_entropy: + dashed_name: process-parent-macho-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.macho.imports_names_var_entropy + flat_name: process.parent.macho.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -15655,13 +13053,13 @@ process.entry_leader.parent.macho.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.entry_leader.parent.macho.sections: - dashed_name: process-entry-leader-parent-macho-sections +process.parent.macho.sections: + dashed_name: process-parent-macho-sections description: 'An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.' - flat_name: process.entry_leader.parent.macho.sections + flat_name: process.parent.macho.sections level: extended name: sections normalize: @@ -15669,10 +13067,10 @@ process.entry_leader.parent.macho.sections: original_fieldset: macho short: Section information of the Mach-O file. type: nested -process.entry_leader.parent.macho.sections.entropy: - dashed_name: process-entry-leader-parent-macho-sections-entropy +process.parent.macho.sections.entropy: + dashed_name: process-parent-macho-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.macho.sections.entropy + flat_name: process.parent.macho.sections.entropy format: number level: extended name: sections.entropy @@ -15680,10 +13078,10 @@ process.entry_leader.parent.macho.sections.entropy: original_fieldset: macho short: Shannon entropy calculation from the section. type: long -process.entry_leader.parent.macho.sections.name: - dashed_name: process-entry-leader-parent-macho-sections-name +process.parent.macho.sections.name: + dashed_name: process-parent-macho-sections-name description: Mach-O Section List name. - flat_name: process.entry_leader.parent.macho.sections.name + flat_name: process.parent.macho.sections.name ignore_above: 1024 level: extended name: sections.name @@ -15691,10 +13089,10 @@ process.entry_leader.parent.macho.sections.name: original_fieldset: macho short: Mach-O Section List name. type: keyword -process.entry_leader.parent.macho.sections.physical_size: - dashed_name: process-entry-leader-parent-macho-sections-physical-size +process.parent.macho.sections.physical_size: + dashed_name: process-parent-macho-sections-physical-size description: Mach-O Section List physical size. - flat_name: process.entry_leader.parent.macho.sections.physical_size + flat_name: process.parent.macho.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -15702,10 +13100,10 @@ process.entry_leader.parent.macho.sections.physical_size: original_fieldset: macho short: Mach-O Section List physical size. type: long -process.entry_leader.parent.macho.sections.var_entropy: - dashed_name: process-entry-leader-parent-macho-sections-var-entropy +process.parent.macho.sections.var_entropy: + dashed_name: process-parent-macho-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.macho.sections.var_entropy + flat_name: process.parent.macho.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -15713,10 +13111,10 @@ process.entry_leader.parent.macho.sections.var_entropy: original_fieldset: macho short: Variance for Shannon entropy calculation from the section. type: long -process.entry_leader.parent.macho.sections.virtual_size: - dashed_name: process-entry-leader-parent-macho-sections-virtual-size +process.parent.macho.sections.virtual_size: + dashed_name: process-parent-macho-sections-virtual-size description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.macho.sections.virtual_size + flat_name: process.parent.macho.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -15724,15 +13122,15 @@ process.entry_leader.parent.macho.sections.virtual_size: original_fieldset: macho short: Mach-O Section List virtual size. This is always the same as `physical_size`. type: long -process.entry_leader.parent.macho.symhash: - dashed_name: process-entry-leader-parent-macho-symhash +process.parent.macho.symhash: + dashed_name: process-parent-macho-symhash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash' example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.entry_leader.parent.macho.symhash + flat_name: process.parent.macho.symhash ignore_above: 1024 level: extended name: symhash @@ -15740,17 +13138,17 @@ process.entry_leader.parent.macho.symhash: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword -process.entry_leader.parent.name: - dashed_name: process-entry-leader-parent-name +process.parent.name: + dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh - flat_name: process.entry_leader.parent.name + flat_name: process.parent.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.parent.name.text + - flat_name: process.parent.name.text name: text type: match_only_text name: name @@ -15758,37 +13156,11 @@ process.entry_leader.parent.name: original_fieldset: process short: Process name. type: keyword -process.entry_leader.parent.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.entry_leader.parent.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.entry_leader.parent.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.entry_leader.parent.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.entry_leader.parent.pe.architecture: - dashed_name: process-entry-leader-parent-pe-architecture +process.parent.pe.architecture: + dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: process.entry_leader.parent.pe.architecture + flat_name: process.parent.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -15796,11 +13168,11 @@ process.entry_leader.parent.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -process.entry_leader.parent.pe.company: - dashed_name: process-entry-leader-parent-pe-company +process.parent.pe.company: + dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: process.entry_leader.parent.pe.company + flat_name: process.parent.pe.company ignore_above: 1024 level: extended name: company @@ -15808,11 +13180,11 @@ process.entry_leader.parent.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -process.entry_leader.parent.pe.description: - dashed_name: process-entry-leader-parent-pe-description +process.parent.pe.description: + dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: process.entry_leader.parent.pe.description + flat_name: process.parent.pe.description ignore_above: 1024 level: extended name: description @@ -15820,11 +13192,11 @@ process.entry_leader.parent.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -process.entry_leader.parent.pe.file_version: - dashed_name: process-entry-leader-parent-pe-file-version +process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: process.entry_leader.parent.pe.file_version + flat_name: process.parent.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -15832,8 +13204,8 @@ process.entry_leader.parent.pe.file_version: original_fieldset: pe short: Process name. type: keyword -process.entry_leader.parent.pe.go_import_hash: - dashed_name: process-entry-leader-parent-pe-go-import-hash +process.parent.pe.go_import_hash: + dashed_name: process-parent-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -15842,7 +13214,7 @@ process.entry_leader.parent.pe.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.pe.go_import_hash + flat_name: process.parent.pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -15850,20 +13222,20 @@ process.entry_leader.parent.pe.go_import_hash: original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword -process.entry_leader.parent.pe.go_imports: - dashed_name: process-entry-leader-parent-pe-go-imports +process.parent.pe.go_imports: + dashed_name: process-parent-pe-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.pe.go_imports + flat_name: process.parent.pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened -process.entry_leader.parent.pe.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy +process.parent.pe.go_imports_names_entropy: + dashed_name: process-parent-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.pe.go_imports_names_entropy + flat_name: process.parent.pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -15871,10 +13243,10 @@ process.entry_leader.parent.pe.go_imports_names_entropy: original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.parent.pe.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy +process.parent.pe.go_imports_names_var_entropy: + dashed_name: process-parent-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy + flat_name: process.parent.pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -15882,40579 +13254,210 @@ process.entry_leader.parent.pe.go_imports_names_var_entropy: original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.entry_leader.parent.pe.go_stripped: - dashed_name: process-entry-leader-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.entry_leader.parent.pe.imphash: - dashed_name: process-entry-leader-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.entry_leader.parent.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.entry_leader.parent.pe.import_hash: - dashed_name: process-entry-leader-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.entry_leader.parent.pe.imports: - dashed_name: process-entry-leader-parent-pe-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.entry_leader.parent.pe.imports_names_entropy: - dashed_name: process-entry-leader-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.entry_leader.parent.pe.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.entry_leader.parent.pe.original_file_name: - dashed_name: process-entry-leader-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.entry_leader.parent.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.entry_leader.parent.pe.pehash: - dashed_name: process-entry-leader-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.entry_leader.parent.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.entry_leader.parent.pe.product: - dashed_name: process-entry-leader-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.entry_leader.parent.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.entry_leader.parent.pe.sections: - dashed_name: process-entry-leader-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.entry_leader.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.entry_leader.parent.pe.sections.entropy: - dashed_name: process-entry-leader-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.pe.sections.name: - dashed_name: process-entry-leader-parent-pe-sections-name - description: PE Section List name. - flat_name: process.entry_leader.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.entry_leader.parent.pe.sections.physical_size: - dashed_name: process-entry-leader-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.entry_leader.parent.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.entry_leader.parent.pe.sections.var_entropy: - dashed_name: process-entry-leader-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.pe.sections.virtual_size: - dashed_name: process-entry-leader-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.entry_leader.parent.pid: - dashed_name: process-entry-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.entry_leader.parent.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.entry_leader.parent.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.entry_leader.parent.real_group.domain: - dashed_name: process-entry-leader-parent-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.real_group.id: - dashed_name: process-entry-leader-parent-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.real_group.name: - dashed_name: process-entry-leader-parent-real-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.real_user.domain: - dashed_name: process-entry-leader-parent-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.real_user.email: - dashed_name: process-entry-leader-parent-real-user-email - description: User email address. - flat_name: process.entry_leader.parent.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.real_user.entity.id: - dashed_name: process-entry-leader-parent-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.real_user.full_name: - dashed_name: process-entry-leader-parent-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.real_user.group.domain: - dashed_name: process-entry-leader-parent-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.real_user.group.id: - dashed_name: process-entry-leader-parent-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.real_user.group.name: - dashed_name: process-entry-leader-parent-real-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.real_user.hash: - dashed_name: process-entry-leader-parent-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.real_user.id: - dashed_name: process-entry-leader-parent-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.real_user.name: - dashed_name: process-entry-leader-parent-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.real_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.real_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.real_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.real_user.risk.static_level: - dashed_name: process-entry-leader-parent-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.real_user.risk.static_score: - dashed_name: process-entry-leader-parent-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.real_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.real_user.roles: - dashed_name: process-entry-leader-parent-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.same_as_process: - dashed_name: process-entry-leader-parent-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.parent.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.entry_leader.parent.saved_group.domain: - dashed_name: process-entry-leader-parent-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.saved_group.id: - dashed_name: process-entry-leader-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.saved_group.name: - dashed_name: process-entry-leader-parent-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.saved_user.domain: - dashed_name: process-entry-leader-parent-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.saved_user.email: - dashed_name: process-entry-leader-parent-saved-user-email - description: User email address. - flat_name: process.entry_leader.parent.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.saved_user.entity.id: - dashed_name: process-entry-leader-parent-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.saved_user.full_name: - dashed_name: process-entry-leader-parent-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.saved_user.group.domain: - dashed_name: process-entry-leader-parent-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.saved_user.group.id: - dashed_name: process-entry-leader-parent-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.saved_user.group.name: - dashed_name: process-entry-leader-parent-saved-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.saved_user.hash: - dashed_name: process-entry-leader-parent-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.saved_user.id: - dashed_name: process-entry-leader-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.saved_user.name: - dashed_name: process-entry-leader-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.saved_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.saved_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.saved_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.saved_user.risk.static_level: - dashed_name: process-entry-leader-parent-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.saved_user.risk.static_score: - dashed_name: process-entry-leader-parent-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.saved_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.saved_user.roles: - dashed_name: process-entry-leader-parent-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.args: - dashed_name: process-entry-leader-parent-session-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.entry_leader.parent.session_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.entry_leader.parent.session_leader.args_count: - dashed_name: process-entry-leader-parent-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.entry_leader.parent.session_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.entry_leader.parent.session_leader.attested_groups.domain: - dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.attested_groups.id: - dashed_name: process-entry-leader-parent-session-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.attested_groups.name: - dashed_name: process-entry-leader-parent-session-leader-attested-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.attested_user.domain: - dashed_name: process-entry-leader-parent-session-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.session_leader.attested_user.email: - dashed_name: process-entry-leader-parent-session-leader-attested-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.session_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.session_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.session_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.session_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.session_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.session_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.session_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.session_leader.attested_user.full_name: - dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.session_leader.attested_user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.attested_user.group.id: - dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.attested_user.group.name: - dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.attested_user.hash: - dashed_name: process-entry-leader-parent-session-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.session_leader.attested_user.id: - dashed_name: process-entry-leader-parent-session-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.session_leader.attested_user.name: - dashed_name: process-entry-leader-parent-session-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.session_leader.attested_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.session_leader.attested_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.session_leader.attested_user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.session_leader.attested_user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.session_leader.attested_user.roles: - dashed_name: process-entry-leader-parent-session-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.code_signature.digest_algorithm: - dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.entry_leader.parent.session_leader.code_signature.exists: - dashed_name: process-entry-leader-parent-session-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.entry_leader.parent.session_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.entry_leader.parent.session_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.entry_leader.parent.session_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.entry_leader.parent.session_leader.code_signature.signing_id: - dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.entry_leader.parent.session_leader.code_signature.status: - dashed_name: process-entry-leader-parent-session-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.entry_leader.parent.session_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.entry_leader.parent.session_leader.code_signature.subject_name: - dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.entry_leader.parent.session_leader.code_signature.team_id: - dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.entry_leader.parent.session_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.entry_leader.parent.session_leader.code_signature.timestamp: - dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.entry_leader.parent.session_leader.code_signature.trusted: - dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.entry_leader.parent.session_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.entry_leader.parent.session_leader.code_signature.valid: - dashed_name: process-entry-leader-parent-session-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.entry_leader.parent.session_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.entry_leader.parent.session_leader.command_line: - dashed_name: process-entry-leader-parent-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.parent.session_leader.command_line - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.entry_leader.parent.session_leader.elf.architecture: - dashed_name: process-entry-leader-parent-session-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.entry_leader.parent.session_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.byte_order: - dashed_name: process-entry-leader-parent-session-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.entry_leader.parent.session_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.cpu_type: - dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.entry_leader.parent.session_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.creation_date: - dashed_name: process-entry-leader-parent-session-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.entry_leader.parent.session_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.entry_leader.parent.session_leader.elf.exports: - dashed_name: process-entry-leader-parent-session-leader-elf-exports - description: List of exported element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.entry_leader.parent.session_leader.elf.go_import_hash: - dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.go_imports: - dashed_name: process-entry-leader-parent-session-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.entry_leader.parent.session_leader.elf.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.parent.session_leader.elf.go_stripped: - dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.session_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.entry_leader.parent.session_leader.elf.header.abi_version: - dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.entry_leader.parent.session_leader.elf.header.class: - dashed_name: process-entry-leader-parent-session-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.header.data: - dashed_name: process-entry-leader-parent-session-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.entry_leader.parent.session_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.entry_leader.parent.session_leader.elf.header.entrypoint: - dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.entry_leader.parent.session_leader.elf.header.object_version: - dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.entry_leader.parent.session_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.entry_leader.parent.session_leader.elf.header.os_abi: - dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.entry_leader.parent.session_leader.elf.header.type: - dashed_name: process-entry-leader-parent-session-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.header.version: - dashed_name: process-entry-leader-parent-session-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.entry_leader.parent.session_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.entry_leader.parent.session_leader.elf.import_hash: - dashed_name: process-entry-leader-parent-session-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.session_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.entry_leader.parent.session_leader.elf.imports: - dashed_name: process-entry-leader-parent-session-leader-elf-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.entry_leader.parent.session_leader.elf.imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.entry_leader.parent.session_leader.elf.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.entry_leader.parent.session_leader.elf.sections: - dashed_name: process-entry-leader-parent-session-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.entry_leader.parent.session_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.entry_leader.parent.session_leader.elf.sections.chi2: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.entry_leader.parent.session_leader.elf.sections.entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.session_leader.elf.sections.flags: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.entry_leader.parent.session_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.entry_leader.parent.session_leader.elf.sections.name: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.entry_leader.parent.session_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.entry_leader.parent.session_leader.elf.sections.physical_offset: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.entry_leader.parent.session_leader.elf.sections.physical_size: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.entry_leader.parent.session_leader.elf.sections.type: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.entry_leader.parent.session_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.entry_leader.parent.session_leader.elf.sections.var_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.session_leader.elf.sections.virtual_address: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.entry_leader.parent.session_leader.elf.sections.virtual_size: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.entry_leader.parent.session_leader.elf.segments: - dashed_name: process-entry-leader-parent-session-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.entry_leader.parent.session_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.entry_leader.parent.session_leader.elf.segments.sections: - dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.entry_leader.parent.session_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.entry_leader.parent.session_leader.elf.segments.type: - dashed_name: process-entry-leader-parent-session-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.entry_leader.parent.session_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.entry_leader.parent.session_leader.elf.shared_libraries: - dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.entry_leader.parent.session_leader.elf.telfhash: - dashed_name: process-entry-leader-parent-session-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.entry_leader.parent.session_leader.end: - dashed_name: process-entry-leader-parent-session-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.session_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.entry_leader.parent.session_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.entry_leader.parent.session_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.entry_leader.parent.session_leader.entity_id: - dashed_name: process-entry-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.parent.session_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.address: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.as.number: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.bytes: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.entry_leader.parent.session_leader.entry_meta.source.domain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.location: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.entry_leader.parent.session_leader.entry_meta.source.geo.name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.ip: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.entry_leader.parent.session_leader.entry_meta.source.mac: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.nat.ip: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.entry_leader.parent.session_leader.entry_meta.source.nat.port: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.entry_leader.parent.session_leader.entry_meta.source.packets: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.entry_leader.parent.session_leader.entry_meta.source.port: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.entry_leader.parent.session_leader.entry_meta.source.registered_domain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.subdomain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.entry_leader.parent.session_leader.entry_meta.type: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.entry_leader.parent.session_leader.env_vars: - dashed_name: process-entry-leader-parent-session-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.entry_leader.parent.session_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.executable: - dashed_name: process-entry-leader-parent-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.entry_leader.parent.session_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.entry_leader.parent.session_leader.exit_code: - dashed_name: process-entry-leader-parent-session-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.entry_leader.parent.session_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.entry_leader.parent.session_leader.group.domain: - dashed_name: process-entry-leader-parent-session-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.group.id: - dashed_name: process-entry-leader-parent-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.group.name: - dashed_name: process-entry-leader-parent-session-leader-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.entry_leader.parent.session_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.entry_leader.parent.session_leader.hash.md5: - dashed_name: process-entry-leader-parent-session-leader-hash-md5 - description: MD5 hash. - flat_name: process.entry_leader.parent.session_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.entry_leader.parent.session_leader.hash.sha1: - dashed_name: process-entry-leader-parent-session-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.entry_leader.parent.session_leader.hash.sha256: - dashed_name: process-entry-leader-parent-session-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.entry_leader.parent.session_leader.hash.sha384: - dashed_name: process-entry-leader-parent-session-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.entry_leader.parent.session_leader.hash.sha512: - dashed_name: process-entry-leader-parent-session-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.entry_leader.parent.session_leader.hash.ssdeep: - dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.entry_leader.parent.session_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.entry_leader.parent.session_leader.hash.tlsh: - dashed_name: process-entry-leader-parent-session-leader-hash-tlsh - description: TLSH hash. - flat_name: process.entry_leader.parent.session_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.entry_leader.parent.session_leader.interactive: - dashed_name: process-entry-leader-parent-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.entry_leader.parent.session_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.entry_leader.parent.session_leader.io: - dashed_name: process-entry-leader-parent-session-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.entry_leader.parent.session_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.entry_leader.parent.session_leader.io.bytes_skipped: - dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.entry_leader.parent.session_leader.io.bytes_skipped.length: - dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.entry_leader.parent.session_leader.io.bytes_skipped.offset: - dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.entry_leader.parent.session_leader.io.text: - dashed_name: process-entry-leader-parent-session-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.entry_leader.parent.session_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.entry_leader.parent.session_leader.io.total_bytes_captured: - dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.entry_leader.parent.session_leader.io.total_bytes_skipped: - dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.entry_leader.parent.session_leader.io.type: - dashed_name: process-entry-leader-parent-session-leader-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.entry_leader.parent.session_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.entry_leader.parent.session_leader.macho.go_import_hash: - dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.entry_leader.parent.session_leader.macho.go_imports: - dashed_name: process-entry-leader-parent-session-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.session_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.entry_leader.parent.session_leader.macho.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.parent.session_leader.macho.go_stripped: - dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.session_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.entry_leader.parent.session_leader.macho.import_hash: - dashed_name: process-entry-leader-parent-session-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.session_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.entry_leader.parent.session_leader.macho.imports: - dashed_name: process-entry-leader-parent-session-leader-macho-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.session_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.entry_leader.parent.session_leader.macho.imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.entry_leader.parent.session_leader.macho.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.entry_leader.parent.session_leader.macho.sections: - dashed_name: process-entry-leader-parent-session-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.entry_leader.parent.session_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.entry_leader.parent.session_leader.macho.sections.entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.session_leader.macho.sections.name: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.entry_leader.parent.session_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.entry_leader.parent.session_leader.macho.sections.physical_size: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.entry_leader.parent.session_leader.macho.sections.var_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.session_leader.macho.sections.virtual_size: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.entry_leader.parent.session_leader.macho.symhash: - dashed_name: process-entry-leader-parent-session-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.entry_leader.parent.session_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.entry_leader.parent.session_leader.name: - dashed_name: process-entry-leader-parent-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.entry_leader.parent.session_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.entry_leader.parent.session_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.entry_leader.parent.session_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.entry_leader.parent.session_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.entry_leader.parent.session_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.entry_leader.parent.session_leader.pe.architecture: - dashed_name: process-entry-leader-parent-session-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.entry_leader.parent.session_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.entry_leader.parent.session_leader.pe.company: - dashed_name: process-entry-leader-parent-session-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.entry_leader.parent.session_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.entry_leader.parent.session_leader.pe.description: - dashed_name: process-entry-leader-parent-session-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.entry_leader.parent.session_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.entry_leader.parent.session_leader.pe.file_version: - dashed_name: process-entry-leader-parent-session-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.entry_leader.parent.session_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.entry_leader.parent.session_leader.pe.go_import_hash: - dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.entry_leader.parent.session_leader.pe.go_imports: - dashed_name: process-entry-leader-parent-session-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.session_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.entry_leader.parent.session_leader.pe.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.parent.session_leader.pe.go_stripped: - dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.session_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.entry_leader.parent.session_leader.pe.imphash: - dashed_name: process-entry-leader-parent-session-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.entry_leader.parent.session_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.entry_leader.parent.session_leader.pe.import_hash: - dashed_name: process-entry-leader-parent-session-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.session_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.entry_leader.parent.session_leader.pe.imports: - dashed_name: process-entry-leader-parent-session-leader-pe-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.session_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.entry_leader.parent.session_leader.pe.imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.entry_leader.parent.session_leader.pe.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.entry_leader.parent.session_leader.pe.original_file_name: - dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.entry_leader.parent.session_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.entry_leader.parent.session_leader.pe.pehash: - dashed_name: process-entry-leader-parent-session-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.entry_leader.parent.session_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.entry_leader.parent.session_leader.pe.product: - dashed_name: process-entry-leader-parent-session-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.entry_leader.parent.session_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.entry_leader.parent.session_leader.pe.sections: - dashed_name: process-entry-leader-parent-session-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.entry_leader.parent.session_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.entry_leader.parent.session_leader.pe.sections.entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.session_leader.pe.sections.name: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-name - description: PE Section List name. - flat_name: process.entry_leader.parent.session_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.entry_leader.parent.session_leader.pe.sections.physical_size: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.entry_leader.parent.session_leader.pe.sections.var_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.entry_leader.parent.session_leader.pe.sections.virtual_size: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.entry_leader.parent.session_leader.pid: - dashed_name: process-entry-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.entry_leader.parent.session_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.entry_leader.parent.session_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.entry_leader.parent.session_leader.real_group.domain: - dashed_name: process-entry-leader-parent-session-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.real_group.id: - dashed_name: process-entry-leader-parent-session-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.real_group.name: - dashed_name: process-entry-leader-parent-session-leader-real-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.real_user.domain: - dashed_name: process-entry-leader-parent-session-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.session_leader.real_user.email: - dashed_name: process-entry-leader-parent-session-leader-real-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.session_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.session_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.session_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.session_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.session_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.session_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.session_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.session_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.session_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.session_leader.real_user.full_name: - dashed_name: process-entry-leader-parent-session-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.session_leader.real_user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.real_user.group.id: - dashed_name: process-entry-leader-parent-session-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.real_user.group.name: - dashed_name: process-entry-leader-parent-session-leader-real-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.real_user.hash: - dashed_name: process-entry-leader-parent-session-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.session_leader.real_user.id: - dashed_name: process-entry-leader-parent-session-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.session_leader.real_user.name: - dashed_name: process-entry-leader-parent-session-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.session_leader.real_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.session_leader.real_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.session_leader.real_user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.session_leader.real_user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.session_leader.real_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.session_leader.real_user.roles: - dashed_name: process-entry-leader-parent-session-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.same_as_process: - dashed_name: process-entry-leader-parent-session-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.parent.session_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.entry_leader.parent.session_leader.saved_group.domain: - dashed_name: process-entry-leader-parent-session-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.saved_group.id: - dashed_name: process-entry-leader-parent-session-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.saved_group.name: - dashed_name: process-entry-leader-parent-session-leader-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.saved_user.domain: - dashed_name: process-entry-leader-parent-session-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.session_leader.saved_user.email: - dashed_name: process-entry-leader-parent-session-leader-saved-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.session_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.session_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.session_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.session_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.session_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.session_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.session_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.session_leader.saved_user.full_name: - dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.session_leader.saved_user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.saved_user.group.id: - dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.saved_user.group.name: - dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.saved_user.hash: - dashed_name: process-entry-leader-parent-session-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.session_leader.saved_user.id: - dashed_name: process-entry-leader-parent-session-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.session_leader.saved_user.name: - dashed_name: process-entry-leader-parent-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.session_leader.saved_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.session_leader.saved_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.session_leader.saved_user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.session_leader.saved_user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.session_leader.saved_user.roles: - dashed_name: process-entry-leader-parent-session-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.start: - dashed_name: process-entry-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.entry_leader.parent.session_leader.supplemental_groups.domain: - dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.supplemental_groups.id: - dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.supplemental_groups.name: - dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.thread.capabilities.effective: - dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.thread.capabilities.permitted: - dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.thread.id: - dashed_name: process-entry-leader-parent-session-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.entry_leader.parent.session_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.entry_leader.parent.session_leader.thread.name: - dashed_name: process-entry-leader-parent-session-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.entry_leader.parent.session_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.entry_leader.parent.session_leader.title: - dashed_name: process-entry-leader-parent-session-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.entry_leader.parent.session_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.entry_leader.parent.session_leader.tty: - dashed_name: process-entry-leader-parent-session-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.entry_leader.parent.session_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.entry_leader.parent.session_leader.tty.char_device.major: - dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.parent.session_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.entry_leader.parent.session_leader.tty.char_device.minor: - dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.entry_leader.parent.session_leader.tty.columns: - dashed_name: process-entry-leader-parent-session-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.entry_leader.parent.session_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.entry_leader.parent.session_leader.tty.rows: - dashed_name: process-entry-leader-parent-session-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.entry_leader.parent.session_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.entry_leader.parent.session_leader.uptime: - dashed_name: process-entry-leader-parent-session-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.entry_leader.parent.session_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.entry_leader.parent.session_leader.user.domain: - dashed_name: process-entry-leader-parent-session-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.session_leader.user.email: - dashed_name: process-entry-leader-parent-session-leader-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.session_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.session_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.session_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.session_leader.user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.session_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.session_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.session_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.session_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.session_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.session_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.session_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.session_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.session_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.session_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.session_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.session_leader.user.full_name: - dashed_name: process-entry-leader-parent-session-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.session_leader.user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.session_leader.user.group.id: - dashed_name: process-entry-leader-parent-session-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.session_leader.user.group.name: - dashed_name: process-entry-leader-parent-session-leader-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.session_leader.user.hash: - dashed_name: process-entry-leader-parent-session-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.session_leader.user.id: - dashed_name: process-entry-leader-parent-session-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.session_leader.user.name: - dashed_name: process-entry-leader-parent-session-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.session_leader.user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.session_leader.user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.session_leader.user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.session_leader.user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.session_leader.user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.session_leader.user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.session_leader.user.roles: - dashed_name: process-entry-leader-parent-session-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.session_leader.vpid: - dashed_name: process-entry-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.entry_leader.parent.session_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.entry_leader.parent.session_leader.working_directory: - dashed_name: process-entry-leader-parent-session-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.parent.session_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.entry_leader.parent.start: - dashed_name: process-entry-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.entry_leader.parent.supplemental_groups.domain: - dashed_name: process-entry-leader-parent-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.supplemental_groups.id: - dashed_name: process-entry-leader-parent-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.supplemental_groups.name: - dashed_name: process-entry-leader-parent-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.thread.capabilities.effective: - dashed_name: process-entry-leader-parent-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.thread.capabilities.permitted: - dashed_name: process-entry-leader-parent-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.thread.id: - dashed_name: process-entry-leader-parent-thread-id - description: Thread ID. - example: 4242 - flat_name: process.entry_leader.parent.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.entry_leader.parent.thread.name: - dashed_name: process-entry-leader-parent-thread-name - description: Thread name. - example: thread-0 - flat_name: process.entry_leader.parent.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.entry_leader.parent.title: - dashed_name: process-entry-leader-parent-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.entry_leader.parent.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.entry_leader.parent.tty: - dashed_name: process-entry-leader-parent-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.entry_leader.parent.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.entry_leader.parent.tty.char_device.major: - dashed_name: process-entry-leader-parent-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.parent.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.entry_leader.parent.tty.char_device.minor: - dashed_name: process-entry-leader-parent-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.parent.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.entry_leader.parent.tty.columns: - dashed_name: process-entry-leader-parent-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.entry_leader.parent.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.entry_leader.parent.tty.rows: - dashed_name: process-entry-leader-parent-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.entry_leader.parent.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.entry_leader.parent.uptime: - dashed_name: process-entry-leader-parent-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.entry_leader.parent.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.entry_leader.parent.user.domain: - dashed_name: process-entry-leader-parent-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.parent.user.email: - dashed_name: process-entry-leader-parent-user-email - description: User email address. - flat_name: process.entry_leader.parent.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.parent.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.parent.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.parent.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.parent.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.parent.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.parent.user.entity.id: - dashed_name: process-entry-leader-parent-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.parent.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.parent.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.parent.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.parent.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.parent.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.parent.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.parent.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.parent.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.parent.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.parent.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.parent.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.parent.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.parent.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.parent.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.parent.user.full_name: - dashed_name: process-entry-leader-parent-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.parent.user.group.domain: - dashed_name: process-entry-leader-parent-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.parent.user.group.id: - dashed_name: process-entry-leader-parent-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.parent.user.group.name: - dashed_name: process-entry-leader-parent-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.parent.user.hash: - dashed_name: process-entry-leader-parent-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.parent.user.id: - dashed_name: process-entry-leader-parent-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.parent.user.name: - dashed_name: process-entry-leader-parent-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.parent.user.risk.calculated_level: - dashed_name: process-entry-leader-parent-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.parent.user.risk.calculated_score: - dashed_name: process-entry-leader-parent-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.parent.user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.parent.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.parent.user.risk.static_level: - dashed_name: process-entry-leader-parent-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.parent.user.risk.static_score: - dashed_name: process-entry-leader-parent-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.parent.user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.parent.user.roles: - dashed_name: process-entry-leader-parent-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.parent.vpid: - dashed_name: process-entry-leader-parent-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.entry_leader.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.entry_leader.parent.working_directory: - dashed_name: process-entry-leader-parent-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.parent.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.entry_leader.pe.architecture: - dashed_name: process-entry-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.entry_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.entry_leader.pe.company: - dashed_name: process-entry-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.entry_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.entry_leader.pe.description: - dashed_name: process-entry-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.entry_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.entry_leader.pe.file_version: - dashed_name: process-entry-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.entry_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.entry_leader.pe.go_import_hash: - dashed_name: process-entry-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.entry_leader.pe.go_imports: - dashed_name: process-entry-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.entry_leader.pe.go_imports_names_entropy: - dashed_name: process-entry-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.pe.go_imports_names_var_entropy: - dashed_name: process-entry-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.entry_leader.pe.go_stripped: - dashed_name: process-entry-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.entry_leader.pe.imphash: - dashed_name: process-entry-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.entry_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.entry_leader.pe.import_hash: - dashed_name: process-entry-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.entry_leader.pe.imports: - dashed_name: process-entry-leader-pe-imports - description: List of imported element names and types. - flat_name: process.entry_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.entry_leader.pe.imports_names_entropy: - dashed_name: process-entry-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.entry_leader.pe.imports_names_var_entropy: - dashed_name: process-entry-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.entry_leader.pe.original_file_name: - dashed_name: process-entry-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.entry_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.entry_leader.pe.pehash: - dashed_name: process-entry-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.entry_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.entry_leader.pe.product: - dashed_name: process-entry-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.entry_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.entry_leader.pe.sections: - dashed_name: process-entry-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.entry_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.entry_leader.pe.sections.entropy: - dashed_name: process-entry-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.entry_leader.pe.sections.name: - dashed_name: process-entry-leader-pe-sections-name - description: PE Section List name. - flat_name: process.entry_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.entry_leader.pe.sections.physical_size: - dashed_name: process-entry-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.entry_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.entry_leader.pe.sections.var_entropy: - dashed_name: process-entry-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.entry_leader.pe.sections.virtual_size: - dashed_name: process-entry-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.entry_leader.pid: - dashed_name: process-entry-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.entry_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.entry_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.entry_leader.real_group.domain: - dashed_name: process-entry-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.real_group.id: - dashed_name: process-entry-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.real_group.name: - dashed_name: process-entry-leader-real-group-name - description: Name of the group. - flat_name: process.entry_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.real_user.domain: - dashed_name: process-entry-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.real_user.email: - dashed_name: process-entry-leader-real-user-email - description: User email address. - flat_name: process.entry_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.real_user.entity.id: - dashed_name: process-entry-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.real_user.full_name: - dashed_name: process-entry-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.real_user.group.domain: - dashed_name: process-entry-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.real_user.group.id: - dashed_name: process-entry-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.real_user.group.name: - dashed_name: process-entry-leader-real-user-group-name - description: Name of the group. - flat_name: process.entry_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.real_user.hash: - dashed_name: process-entry-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.real_user.id: - dashed_name: process-entry-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.real_user.name: - dashed_name: process-entry-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.real_user.risk.calculated_level: - dashed_name: process-entry-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.real_user.risk.calculated_score: - dashed_name: process-entry-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.real_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.real_user.risk.static_level: - dashed_name: process-entry-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.real_user.risk.static_score: - dashed_name: process-entry-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.real_user.risk.static_score_norm: - dashed_name: process-entry-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.real_user.roles: - dashed_name: process-entry-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.same_as_process: - dashed_name: process-entry-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.entry_leader.saved_group.domain: - dashed_name: process-entry-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.saved_group.id: - dashed_name: process-entry-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.saved_group.name: - dashed_name: process-entry-leader-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.saved_user.domain: - dashed_name: process-entry-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.saved_user.email: - dashed_name: process-entry-leader-saved-user-email - description: User email address. - flat_name: process.entry_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.saved_user.entity.id: - dashed_name: process-entry-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.saved_user.full_name: - dashed_name: process-entry-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.saved_user.group.domain: - dashed_name: process-entry-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.saved_user.group.id: - dashed_name: process-entry-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.saved_user.group.name: - dashed_name: process-entry-leader-saved-user-group-name - description: Name of the group. - flat_name: process.entry_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.saved_user.hash: - dashed_name: process-entry-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.saved_user.id: - dashed_name: process-entry-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.saved_user.name: - dashed_name: process-entry-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.saved_user.risk.calculated_level: - dashed_name: process-entry-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.saved_user.risk.calculated_score: - dashed_name: process-entry-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.saved_user.risk.static_level: - dashed_name: process-entry-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.saved_user.risk.static_score: - dashed_name: process-entry-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.saved_user.risk.static_score_norm: - dashed_name: process-entry-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.saved_user.roles: - dashed_name: process-entry-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.start: - dashed_name: process-entry-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.entry_leader.supplemental_groups.domain: - dashed_name: process-entry-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.supplemental_groups.id: - dashed_name: process-entry-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.supplemental_groups.name: - dashed_name: process-entry-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.thread.capabilities.effective: - dashed_name: process-entry-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.entry_leader.thread.capabilities.permitted: - dashed_name: process-entry-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.entry_leader.thread.id: - dashed_name: process-entry-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.entry_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.entry_leader.thread.name: - dashed_name: process-entry-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.entry_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.entry_leader.title: - dashed_name: process-entry-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.entry_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.entry_leader.tty: - dashed_name: process-entry-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.entry_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.entry_leader.tty.char_device.major: - dashed_name: process-entry-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.entry_leader.tty.char_device.minor: - dashed_name: process-entry-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.entry_leader.tty.columns: - dashed_name: process-entry-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.entry_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.entry_leader.tty.rows: - dashed_name: process-entry-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.entry_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.entry_leader.uptime: - dashed_name: process-entry-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.entry_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.entry_leader.user.domain: - dashed_name: process-entry-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.entry_leader.user.email: - dashed_name: process-entry-leader-user-email - description: User email address. - flat_name: process.entry_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.entry_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.entry_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.entry_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.entry_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.entry_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.entry_leader.user.entity.id: - dashed_name: process-entry-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.entry_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.entry_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.entry_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.entry_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.entry_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.entry_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.entry_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.entry_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.entry_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.entry_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.entry_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.entry_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.entry_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.entry_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.entry_leader.user.full_name: - dashed_name: process-entry-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.entry_leader.user.group.domain: - dashed_name: process-entry-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.entry_leader.user.group.id: - dashed_name: process-entry-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.entry_leader.user.group.name: - dashed_name: process-entry-leader-user-group-name - description: Name of the group. - flat_name: process.entry_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.entry_leader.user.hash: - dashed_name: process-entry-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.entry_leader.user.id: - dashed_name: process-entry-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.entry_leader.user.name: - dashed_name: process-entry-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.entry_leader.user.risk.calculated_level: - dashed_name: process-entry-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.entry_leader.user.risk.calculated_score: - dashed_name: process-entry-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.entry_leader.user.risk.calculated_score_norm: - dashed_name: process-entry-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.entry_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.entry_leader.user.risk.static_level: - dashed_name: process-entry-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.entry_leader.user.risk.static_score: - dashed_name: process-entry-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.entry_leader.user.risk.static_score_norm: - dashed_name: process-entry-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.entry_leader.user.roles: - dashed_name: process-entry-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.entry_leader.vpid: - dashed_name: process-entry-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.entry_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.entry_leader.working_directory: - dashed_name: process-entry-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.entry_meta.source.address: - dashed_name: process-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.entry_meta.source.as.number: - dashed_name: process-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.entry_meta.source.as.organization.name: - dashed_name: process-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.entry_meta.source.bytes: - dashed_name: process-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.entry_meta.source.domain: - dashed_name: process-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.entry_meta.source.geo.city_name: - dashed_name: process-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.entry_meta.source.geo.continent_code: - dashed_name: process-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.entry_meta.source.geo.continent_name: - dashed_name: process-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.entry_meta.source.geo.country_name: - dashed_name: process-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.entry_meta.source.geo.location: - dashed_name: process-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.entry_meta.source.geo.name: - dashed_name: process-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.entry_meta.source.geo.postal_code: - dashed_name: process-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.entry_meta.source.geo.region_name: - dashed_name: process-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.entry_meta.source.geo.timezone: - dashed_name: process-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.entry_meta.source.ip: - dashed_name: process-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.entry_meta.source.mac: - dashed_name: process-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.entry_meta.source.nat.ip: - dashed_name: process-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.entry_meta.source.nat.port: - dashed_name: process-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.entry_meta.source.packets: - dashed_name: process-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.entry_meta.source.port: - dashed_name: process-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.entry_meta.source.registered_domain: - dashed_name: process-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.entry_meta.source.subdomain: - dashed_name: process-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.entry_meta.source.top_level_domain: - dashed_name: process-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.entry_meta.type: - dashed_name: process-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - short: The entry type for the entry session leader. - type: keyword -process.env_vars: - dashed_name: process-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.executable: - dashed_name: process-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - otel: - - attribute: process.executable.path - relation: equivalent - short: Absolute path to the process executable. - type: keyword -process.exit_code: - dashed_name: process-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.exit_code - level: extended - name: exit_code - normalize: [] - short: The exit code of the process. - type: long -process.group.domain: - dashed_name: process-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group.id: - dashed_name: process-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group.name: - dashed_name: process-group-name - description: Name of the group. - flat_name: process.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.args: - dashed_name: process-group-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.group_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.group_leader.args_count: - dashed_name: process-group-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.group_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.group_leader.attested_groups.domain: - dashed_name: process-group-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.attested_groups.id: - dashed_name: process-group-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.attested_groups.name: - dashed_name: process-group-leader-attested-groups-name - description: Name of the group. - flat_name: process.group_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.attested_user.domain: - dashed_name: process-group-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.group_leader.attested_user.email: - dashed_name: process-group-leader-attested-user-email - description: User email address. - flat_name: process.group_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.group_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.group_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.group_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.group_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.group_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.group_leader.attested_user.entity.id: - dashed_name: process-group-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.group_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.group_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.group_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.group_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.group_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.group_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.group_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.group_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.group_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.group_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.group_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.group_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.group_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.group_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.group_leader.attested_user.full_name: - dashed_name: process-group-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.group_leader.attested_user.group.domain: - dashed_name: process-group-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.attested_user.group.id: - dashed_name: process-group-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.attested_user.group.name: - dashed_name: process-group-leader-attested-user-group-name - description: Name of the group. - flat_name: process.group_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.attested_user.hash: - dashed_name: process-group-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.group_leader.attested_user.id: - dashed_name: process-group-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.group_leader.attested_user.name: - dashed_name: process-group-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.group_leader.attested_user.risk.calculated_level: - dashed_name: process-group-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.group_leader.attested_user.risk.calculated_score: - dashed_name: process-group-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.group_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-group-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.group_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.group_leader.attested_user.risk.static_level: - dashed_name: process-group-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.group_leader.attested_user.risk.static_score: - dashed_name: process-group-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.group_leader.attested_user.risk.static_score_norm: - dashed_name: process-group-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.group_leader.attested_user.roles: - dashed_name: process-group-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.group_leader.code_signature.digest_algorithm: - dashed_name: process-group-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.group_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.group_leader.code_signature.exists: - dashed_name: process-group-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.group_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.group_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.group_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.group_leader.code_signature.signing_id: - dashed_name: process-group-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.group_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.group_leader.code_signature.status: - dashed_name: process-group-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.group_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.group_leader.code_signature.subject_name: - dashed_name: process-group-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.group_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.group_leader.code_signature.team_id: - dashed_name: process-group-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.group_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.group_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.group_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.group_leader.code_signature.timestamp: - dashed_name: process-group-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.group_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.group_leader.code_signature.trusted: - dashed_name: process-group-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.group_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.group_leader.code_signature.valid: - dashed_name: process-group-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.group_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.group_leader.command_line: - dashed_name: process-group-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.group_leader.command_line - level: extended - multi_fields: - - flat_name: process.group_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.group_leader.elf.architecture: - dashed_name: process-group-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.group_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.group_leader.elf.byte_order: - dashed_name: process-group-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.group_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.group_leader.elf.cpu_type: - dashed_name: process-group-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.group_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.group_leader.elf.creation_date: - dashed_name: process-group-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.group_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.group_leader.elf.exports: - dashed_name: process-group-leader-elf-exports - description: List of exported element names and types. - flat_name: process.group_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.group_leader.elf.go_import_hash: - dashed_name: process-group-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.group_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.group_leader.elf.go_imports: - dashed_name: process-group-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.group_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.group_leader.elf.go_imports_names_entropy: - dashed_name: process-group-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.group_leader.elf.go_imports_names_var_entropy: - dashed_name: process-group-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.group_leader.elf.go_stripped: - dashed_name: process-group-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.group_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.group_leader.elf.header.abi_version: - dashed_name: process-group-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.group_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.group_leader.elf.header.class: - dashed_name: process-group-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.group_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.group_leader.elf.header.data: - dashed_name: process-group-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.group_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.group_leader.elf.header.entrypoint: - dashed_name: process-group-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.group_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.group_leader.elf.header.object_version: - dashed_name: process-group-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.group_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.group_leader.elf.header.os_abi: - dashed_name: process-group-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.group_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.group_leader.elf.header.type: - dashed_name: process-group-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.group_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.group_leader.elf.header.version: - dashed_name: process-group-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.group_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.group_leader.elf.import_hash: - dashed_name: process-group-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.group_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.group_leader.elf.imports: - dashed_name: process-group-leader-elf-imports - description: List of imported element names and types. - flat_name: process.group_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.group_leader.elf.imports_names_entropy: - dashed_name: process-group-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.group_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.group_leader.elf.imports_names_var_entropy: - dashed_name: process-group-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.group_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.group_leader.elf.sections: - dashed_name: process-group-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.group_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.group_leader.elf.sections.chi2: - dashed_name: process-group-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.group_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.group_leader.elf.sections.entropy: - dashed_name: process-group-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.group_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.group_leader.elf.sections.flags: - dashed_name: process-group-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.group_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.group_leader.elf.sections.name: - dashed_name: process-group-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.group_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.group_leader.elf.sections.physical_offset: - dashed_name: process-group-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.group_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.group_leader.elf.sections.physical_size: - dashed_name: process-group-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.group_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.group_leader.elf.sections.type: - dashed_name: process-group-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.group_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.group_leader.elf.sections.var_entropy: - dashed_name: process-group-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.group_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.group_leader.elf.sections.virtual_address: - dashed_name: process-group-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.group_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.group_leader.elf.sections.virtual_size: - dashed_name: process-group-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.group_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.group_leader.elf.segments: - dashed_name: process-group-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.group_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.group_leader.elf.segments.sections: - dashed_name: process-group-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.group_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.group_leader.elf.segments.type: - dashed_name: process-group-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.group_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.group_leader.elf.shared_libraries: - dashed_name: process-group-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.group_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.group_leader.elf.telfhash: - dashed_name: process-group-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.group_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.group_leader.end: - dashed_name: process-group-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.group_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.group_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.group_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.group_leader.entity_id: - dashed_name: process-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.group_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.group_leader.entry_meta.source.address: - dashed_name: process-group-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.group_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.group_leader.entry_meta.source.as.number: - dashed_name: process-group-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.group_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.group_leader.entry_meta.source.as.organization.name: - dashed_name: process-group-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.group_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.group_leader.entry_meta.source.bytes: - dashed_name: process-group-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.group_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.group_leader.entry_meta.source.domain: - dashed_name: process-group-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.group_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.group_leader.entry_meta.source.geo.city_name: - dashed_name: process-group-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.group_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.group_leader.entry_meta.source.geo.continent_code: - dashed_name: process-group-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.group_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.group_leader.entry_meta.source.geo.continent_name: - dashed_name: process-group-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.group_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.group_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.group_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.group_leader.entry_meta.source.geo.country_name: - dashed_name: process-group-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.group_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.group_leader.entry_meta.source.geo.location: - dashed_name: process-group-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.group_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.group_leader.entry_meta.source.geo.name: - dashed_name: process-group-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.group_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.group_leader.entry_meta.source.geo.postal_code: - dashed_name: process-group-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.group_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.group_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.group_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.group_leader.entry_meta.source.geo.region_name: - dashed_name: process-group-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.group_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.group_leader.entry_meta.source.geo.timezone: - dashed_name: process-group-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.group_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.group_leader.entry_meta.source.ip: - dashed_name: process-group-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.group_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.group_leader.entry_meta.source.mac: - dashed_name: process-group-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.group_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.group_leader.entry_meta.source.nat.ip: - dashed_name: process-group-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.group_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.group_leader.entry_meta.source.nat.port: - dashed_name: process-group-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.group_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.group_leader.entry_meta.source.packets: - dashed_name: process-group-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.group_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.group_leader.entry_meta.source.port: - dashed_name: process-group-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.group_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.group_leader.entry_meta.source.registered_domain: - dashed_name: process-group-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.group_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.group_leader.entry_meta.source.subdomain: - dashed_name: process-group-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.group_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.group_leader.entry_meta.source.top_level_domain: - dashed_name: process-group-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.group_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.group_leader.entry_meta.type: - dashed_name: process-group-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.group_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.group_leader.env_vars: - dashed_name: process-group-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.group_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.group_leader.executable: - dashed_name: process-group-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.group_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.group_leader.exit_code: - dashed_name: process-group-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.group_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.group_leader.group.domain: - dashed_name: process-group-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.group.id: - dashed_name: process-group-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.group.name: - dashed_name: process-group-leader-group-name - description: Name of the group. - flat_name: process.group_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.group_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.group_leader.hash.md5: - dashed_name: process-group-leader-hash-md5 - description: MD5 hash. - flat_name: process.group_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.group_leader.hash.sha1: - dashed_name: process-group-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.group_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.group_leader.hash.sha256: - dashed_name: process-group-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.group_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.group_leader.hash.sha384: - dashed_name: process-group-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.group_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.group_leader.hash.sha512: - dashed_name: process-group-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.group_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.group_leader.hash.ssdeep: - dashed_name: process-group-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.group_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.group_leader.hash.tlsh: - dashed_name: process-group-leader-hash-tlsh - description: TLSH hash. - flat_name: process.group_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.group_leader.interactive: - dashed_name: process-group-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.group_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.group_leader.io: - dashed_name: process-group-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.group_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.group_leader.io.bytes_skipped: - dashed_name: process-group-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.group_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.group_leader.io.bytes_skipped.length: - dashed_name: process-group-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.group_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.group_leader.io.bytes_skipped.offset: - dashed_name: process-group-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.group_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.group_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-group-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.group_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.group_leader.io.text: - dashed_name: process-group-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.group_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.group_leader.io.total_bytes_captured: - dashed_name: process-group-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.group_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.group_leader.io.total_bytes_skipped: - dashed_name: process-group-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.group_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.group_leader.io.type: - dashed_name: process-group-leader-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.group_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.group_leader.macho.go_import_hash: - dashed_name: process-group-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.group_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.group_leader.macho.go_imports: - dashed_name: process-group-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.group_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.group_leader.macho.go_imports_names_entropy: - dashed_name: process-group-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.group_leader.macho.go_imports_names_var_entropy: - dashed_name: process-group-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.group_leader.macho.go_stripped: - dashed_name: process-group-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.group_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.group_leader.macho.import_hash: - dashed_name: process-group-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.group_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.group_leader.macho.imports: - dashed_name: process-group-leader-macho-imports - description: List of imported element names and types. - flat_name: process.group_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.group_leader.macho.imports_names_entropy: - dashed_name: process-group-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.group_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.group_leader.macho.imports_names_var_entropy: - dashed_name: process-group-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.group_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.group_leader.macho.sections: - dashed_name: process-group-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.group_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.group_leader.macho.sections.entropy: - dashed_name: process-group-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.group_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.group_leader.macho.sections.name: - dashed_name: process-group-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.group_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.group_leader.macho.sections.physical_size: - dashed_name: process-group-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.group_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.group_leader.macho.sections.var_entropy: - dashed_name: process-group-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.group_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.group_leader.macho.sections.virtual_size: - dashed_name: process-group-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.group_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.group_leader.macho.symhash: - dashed_name: process-group-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.group_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.group_leader.name: - dashed_name: process-group-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.group_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.group_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.group_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.group_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.group_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.group_leader.pe.architecture: - dashed_name: process-group-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.group_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.group_leader.pe.company: - dashed_name: process-group-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.group_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.group_leader.pe.description: - dashed_name: process-group-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.group_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.group_leader.pe.file_version: - dashed_name: process-group-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.group_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.group_leader.pe.go_import_hash: - dashed_name: process-group-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.group_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.group_leader.pe.go_imports: - dashed_name: process-group-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.group_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.group_leader.pe.go_imports_names_entropy: - dashed_name: process-group-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.group_leader.pe.go_imports_names_var_entropy: - dashed_name: process-group-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.group_leader.pe.go_stripped: - dashed_name: process-group-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.group_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.group_leader.pe.imphash: - dashed_name: process-group-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.group_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.group_leader.pe.import_hash: - dashed_name: process-group-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.group_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.group_leader.pe.imports: - dashed_name: process-group-leader-pe-imports - description: List of imported element names and types. - flat_name: process.group_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.group_leader.pe.imports_names_entropy: - dashed_name: process-group-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.group_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.group_leader.pe.imports_names_var_entropy: - dashed_name: process-group-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.group_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.group_leader.pe.original_file_name: - dashed_name: process-group-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.group_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.group_leader.pe.pehash: - dashed_name: process-group-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.group_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.group_leader.pe.product: - dashed_name: process-group-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.group_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.group_leader.pe.sections: - dashed_name: process-group-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.group_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.group_leader.pe.sections.entropy: - dashed_name: process-group-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.group_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.group_leader.pe.sections.name: - dashed_name: process-group-leader-pe-sections-name - description: PE Section List name. - flat_name: process.group_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.group_leader.pe.sections.physical_size: - dashed_name: process-group-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.group_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.group_leader.pe.sections.var_entropy: - dashed_name: process-group-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.group_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.group_leader.pe.sections.virtual_size: - dashed_name: process-group-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.group_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.group_leader.pid: - dashed_name: process-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.group_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - otel: - - relation: match - short: Process id. - type: long -process.group_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.group_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.group_leader.real_group.domain: - dashed_name: process-group-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.real_group.id: - dashed_name: process-group-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.real_group.name: - dashed_name: process-group-leader-real-group-name - description: Name of the group. - flat_name: process.group_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.real_user.domain: - dashed_name: process-group-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.group_leader.real_user.email: - dashed_name: process-group-leader-real-user-email - description: User email address. - flat_name: process.group_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.group_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.group_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.group_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.group_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.group_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.group_leader.real_user.entity.id: - dashed_name: process-group-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.group_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.group_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.group_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.group_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.group_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.group_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.group_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.group_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.group_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.group_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.group_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.group_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.group_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.group_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.group_leader.real_user.full_name: - dashed_name: process-group-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.group_leader.real_user.group.domain: - dashed_name: process-group-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.real_user.group.id: - dashed_name: process-group-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.real_user.group.name: - dashed_name: process-group-leader-real-user-group-name - description: Name of the group. - flat_name: process.group_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.real_user.hash: - dashed_name: process-group-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.group_leader.real_user.id: - dashed_name: process-group-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.group_leader.real_user.name: - dashed_name: process-group-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.group_leader.real_user.risk.calculated_level: - dashed_name: process-group-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.group_leader.real_user.risk.calculated_score: - dashed_name: process-group-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.group_leader.real_user.risk.calculated_score_norm: - dashed_name: process-group-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.group_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.group_leader.real_user.risk.static_level: - dashed_name: process-group-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.group_leader.real_user.risk.static_score: - dashed_name: process-group-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.group_leader.real_user.risk.static_score_norm: - dashed_name: process-group-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.group_leader.real_user.roles: - dashed_name: process-group-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.group_leader.same_as_process: - dashed_name: process-group-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.group_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.group_leader.saved_group.domain: - dashed_name: process-group-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.saved_group.id: - dashed_name: process-group-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.saved_group.name: - dashed_name: process-group-leader-saved-group-name - description: Name of the group. - flat_name: process.group_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.saved_user.domain: - dashed_name: process-group-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.group_leader.saved_user.email: - dashed_name: process-group-leader-saved-user-email - description: User email address. - flat_name: process.group_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.group_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.group_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.group_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.group_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.group_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.group_leader.saved_user.entity.id: - dashed_name: process-group-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.group_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.group_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.group_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.group_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.group_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.group_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.group_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.group_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.group_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.group_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.group_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.group_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.group_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.group_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.group_leader.saved_user.full_name: - dashed_name: process-group-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.group_leader.saved_user.group.domain: - dashed_name: process-group-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.saved_user.group.id: - dashed_name: process-group-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.saved_user.group.name: - dashed_name: process-group-leader-saved-user-group-name - description: Name of the group. - flat_name: process.group_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.saved_user.hash: - dashed_name: process-group-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.group_leader.saved_user.id: - dashed_name: process-group-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.group_leader.saved_user.name: - dashed_name: process-group-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.group_leader.saved_user.risk.calculated_level: - dashed_name: process-group-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.group_leader.saved_user.risk.calculated_score: - dashed_name: process-group-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.group_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-group-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.group_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.group_leader.saved_user.risk.static_level: - dashed_name: process-group-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.group_leader.saved_user.risk.static_score: - dashed_name: process-group-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.group_leader.saved_user.risk.static_score_norm: - dashed_name: process-group-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.group_leader.saved_user.roles: - dashed_name: process-group-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.group_leader.start: - dashed_name: process-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.group_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.group_leader.supplemental_groups.domain: - dashed_name: process-group-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.supplemental_groups.id: - dashed_name: process-group-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.supplemental_groups.name: - dashed_name: process-group-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.group_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.thread.capabilities.effective: - dashed_name: process-group-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.group_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.group_leader.thread.capabilities.permitted: - dashed_name: process-group-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.group_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.group_leader.thread.id: - dashed_name: process-group-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.group_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.group_leader.thread.name: - dashed_name: process-group-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.group_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.group_leader.title: - dashed_name: process-group-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.group_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.group_leader.tty: - dashed_name: process-group-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.group_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.group_leader.tty.char_device.major: - dashed_name: process-group-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.group_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.group_leader.tty.char_device.minor: - dashed_name: process-group-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.group_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.group_leader.tty.columns: - dashed_name: process-group-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.group_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.group_leader.tty.rows: - dashed_name: process-group-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.group_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.group_leader.uptime: - dashed_name: process-group-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.group_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.group_leader.user.domain: - dashed_name: process-group-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.group_leader.user.email: - dashed_name: process-group-leader-user-email - description: User email address. - flat_name: process.group_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.group_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.group_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.group_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.group_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.group_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.group_leader.user.entity.id: - dashed_name: process-group-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.group_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.group_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.group_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.group_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.group_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.group_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.group_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.group_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.group_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.group_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.group_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.group_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.group_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.group_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.group_leader.user.full_name: - dashed_name: process-group-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.group_leader.user.group.domain: - dashed_name: process-group-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.group_leader.user.group.id: - dashed_name: process-group-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.group_leader.user.group.name: - dashed_name: process-group-leader-user-group-name - description: Name of the group. - flat_name: process.group_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.group_leader.user.hash: - dashed_name: process-group-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.group_leader.user.id: - dashed_name: process-group-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.group_leader.user.name: - dashed_name: process-group-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.group_leader.user.risk.calculated_level: - dashed_name: process-group-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.group_leader.user.risk.calculated_score: - dashed_name: process-group-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.group_leader.user.risk.calculated_score_norm: - dashed_name: process-group-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.group_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.group_leader.user.risk.static_level: - dashed_name: process-group-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.group_leader.user.risk.static_score: - dashed_name: process-group-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.group_leader.user.risk.static_score_norm: - dashed_name: process-group-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.group_leader.user.roles: - dashed_name: process-group-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.group_leader.vpid: - dashed_name: process-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.group_leader.working_directory: - dashed_name: process-group-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.group_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.hash.md5: - dashed_name: process-hash-md5 - description: MD5 hash. - flat_name: process.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.hash.sha1: - dashed_name: process-hash-sha1 - description: SHA1 hash. - flat_name: process.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.hash.sha256: - dashed_name: process-hash-sha256 - description: SHA256 hash. - flat_name: process.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.hash.sha384: - dashed_name: process-hash-sha384 - description: SHA384 hash. - flat_name: process.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.hash.sha512: - dashed_name: process-hash-sha512 - description: SHA512 hash. - flat_name: process.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.hash.ssdeep: - dashed_name: process-hash-ssdeep - description: SSDEEP hash. - flat_name: process.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.hash.tlsh: - dashed_name: process-hash-tlsh - description: TLSH hash. - flat_name: process.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.interactive: - dashed_name: process-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.interactive - level: extended - name: interactive - normalize: [] - otel: - - relation: match - short: Whether the process is connected to an interactive shell. - type: boolean -process.io: - dashed_name: process-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.io - level: extended - name: io - normalize: [] - short: A chunk of input or output (IO) from a single process. - type: object -process.io.bytes_skipped: - dashed_name: process-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.io.bytes_skipped.length: - dashed_name: process-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - short: The length of bytes skipped. - type: long -process.io.bytes_skipped.offset: - dashed_name: process-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.io.max_bytes_per_process_exceeded: - dashed_name: process-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.io.text: - dashed_name: process-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.io.text - level: extended - name: io.text - normalize: [] - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.io.total_bytes_captured: - dashed_name: process-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - short: The total number of bytes captured in this event. - type: long -process.io.total_bytes_skipped: - dashed_name: process-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.io.type: - dashed_name: process-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.macho.go_import_hash: - dashed_name: process-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.macho.go_imports: - dashed_name: process-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.macho.go_imports_names_entropy: - dashed_name: process-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.macho.go_imports_names_var_entropy: - dashed_name: process-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.macho.go_stripped: - dashed_name: process-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.macho.import_hash: - dashed_name: process-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.macho.imports: - dashed_name: process-macho-imports - description: List of imported element names and types. - flat_name: process.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.macho.imports_names_entropy: - dashed_name: process-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.macho.imports_names_var_entropy: - dashed_name: process-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.macho.sections: - dashed_name: process-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.macho.sections.entropy: - dashed_name: process-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.macho.sections.name: - dashed_name: process-macho-sections-name - description: Mach-O Section List name. - flat_name: process.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.macho.sections.physical_size: - dashed_name: process-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.macho.sections.var_entropy: - dashed_name: process-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.macho.sections.virtual_size: - dashed_name: process-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.macho.symhash: - dashed_name: process-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.name: - dashed_name: process-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.name.text - name: text - type: match_only_text - name: name - normalize: [] - short: Process name. - type: keyword -process.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - short: The URL where the process's executable file is hosted. - type: keyword -process.parent.args: - dashed_name: process-parent-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.parent.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.parent.args_count: - dashed_name: process-parent-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.parent.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.parent.attested_groups.domain: - dashed_name: process-parent-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.attested_groups.id: - dashed_name: process-parent-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.attested_groups.name: - dashed_name: process-parent-attested-groups-name - description: Name of the group. - flat_name: process.parent.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.attested_user.domain: - dashed_name: process-parent-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.attested_user.email: - dashed_name: process-parent-attested-user-email - description: User email address. - flat_name: process.parent.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.attested_user.entity.id: - dashed_name: process-parent-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.attested_user.full_name: - dashed_name: process-parent-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.attested_user.group.domain: - dashed_name: process-parent-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.attested_user.group.id: - dashed_name: process-parent-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.attested_user.group.name: - dashed_name: process-parent-attested-user-group-name - description: Name of the group. - flat_name: process.parent.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.attested_user.hash: - dashed_name: process-parent-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.attested_user.id: - dashed_name: process-parent-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.attested_user.name: - dashed_name: process-parent-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.attested_user.risk.calculated_level: - dashed_name: process-parent-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.attested_user.risk.calculated_score: - dashed_name: process-parent-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.attested_user.risk.calculated_score_norm: - dashed_name: process-parent-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.attested_user.risk.static_level: - dashed_name: process-parent-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.attested_user.risk.static_score: - dashed_name: process-parent-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.attested_user.risk.static_score_norm: - dashed_name: process-parent-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.attested_user.roles: - dashed_name: process-parent-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.code_signature.digest_algorithm: - dashed_name: process-parent-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.parent.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.parent.code_signature.exists: - dashed_name: process-parent-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.parent.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.parent.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.parent.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.parent.code_signature.signing_id: - dashed_name: process-parent-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.parent.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.parent.code_signature.status: - dashed_name: process-parent-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.parent.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.parent.code_signature.subject_name: - dashed_name: process-parent-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.parent.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.parent.code_signature.team_id: - dashed_name: process-parent-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.parent.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.parent.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.parent.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.parent.code_signature.timestamp: - dashed_name: process-parent-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.parent.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.parent.code_signature.trusted: - dashed_name: process-parent-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.parent.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.parent.code_signature.valid: - dashed_name: process-parent-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.parent.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.parent.command_line: - dashed_name: process-parent-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.parent.command_line - level: extended - multi_fields: - - flat_name: process.parent.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.parent.elf.architecture: - dashed_name: process-parent-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.parent.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.parent.elf.byte_order: - dashed_name: process-parent-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.parent.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.parent.elf.cpu_type: - dashed_name: process-parent-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.parent.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.parent.elf.creation_date: - dashed_name: process-parent-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.parent.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.parent.elf.exports: - dashed_name: process-parent-elf-exports - description: List of exported element names and types. - flat_name: process.parent.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.parent.elf.go_import_hash: - dashed_name: process-parent-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.parent.elf.go_imports: - dashed_name: process-parent-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.parent.elf.go_imports_names_entropy: - dashed_name: process-parent-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.elf.go_imports_names_var_entropy: - dashed_name: process-parent-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.elf.go_stripped: - dashed_name: process-parent-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.elf.header.abi_version: - dashed_name: process-parent-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.parent.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.parent.elf.header.class: - dashed_name: process-parent-elf-header-class - description: Header class of the ELF file. - flat_name: process.parent.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.parent.elf.header.data: - dashed_name: process-parent-elf-header-data - description: Data table of the ELF header. - flat_name: process.parent.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.parent.elf.header.entrypoint: - dashed_name: process-parent-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.parent.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.parent.elf.header.object_version: - dashed_name: process-parent-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.parent.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.parent.elf.header.os_abi: - dashed_name: process-parent-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.parent.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.parent.elf.header.type: - dashed_name: process-parent-elf-header-type - description: Header type of the ELF file. - flat_name: process.parent.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.parent.elf.header.version: - dashed_name: process-parent-elf-header-version - description: Version of the ELF header. - flat_name: process.parent.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.parent.elf.import_hash: - dashed_name: process-parent-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.parent.elf.imports: - dashed_name: process-parent-elf-imports - description: List of imported element names and types. - flat_name: process.parent.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.parent.elf.imports_names_entropy: - dashed_name: process-parent-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.elf.imports_names_var_entropy: - dashed_name: process-parent-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.elf.sections: - dashed_name: process-parent-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.parent.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.parent.elf.sections.chi2: - dashed_name: process-parent-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.parent.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.parent.elf.sections.entropy: - dashed_name: process-parent-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.parent.elf.sections.flags: - dashed_name: process-parent-elf-sections-flags - description: ELF Section List flags. - flat_name: process.parent.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.parent.elf.sections.name: - dashed_name: process-parent-elf-sections-name - description: ELF Section List name. - flat_name: process.parent.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.parent.elf.sections.physical_offset: - dashed_name: process-parent-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.parent.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.parent.elf.sections.physical_size: - dashed_name: process-parent-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.parent.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.parent.elf.sections.type: - dashed_name: process-parent-elf-sections-type - description: ELF Section List type. - flat_name: process.parent.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.parent.elf.sections.var_entropy: - dashed_name: process-parent-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.elf.sections.virtual_address: - dashed_name: process-parent-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.parent.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.parent.elf.sections.virtual_size: - dashed_name: process-parent-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.parent.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.parent.elf.segments: - dashed_name: process-parent-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.parent.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.parent.elf.segments.sections: - dashed_name: process-parent-elf-segments-sections - description: ELF object segment sections. - flat_name: process.parent.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.parent.elf.segments.type: - dashed_name: process-parent-elf-segments-type - description: ELF object segment type. - flat_name: process.parent.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.parent.elf.shared_libraries: - dashed_name: process-parent-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.parent.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.parent.elf.telfhash: - dashed_name: process-parent-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.parent.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.parent.end: - dashed_name: process-parent-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.parent.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-parent-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.parent.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.parent.entity_id: - dashed_name: process-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.parent.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.parent.entry_meta.source.address: - dashed_name: process-parent-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.parent.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.parent.entry_meta.source.as.number: - dashed_name: process-parent-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.parent.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.parent.entry_meta.source.as.organization.name: - dashed_name: process-parent-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.parent.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.parent.entry_meta.source.bytes: - dashed_name: process-parent-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.parent.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.parent.entry_meta.source.domain: - dashed_name: process-parent-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.parent.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.parent.entry_meta.source.geo.city_name: - dashed_name: process-parent-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.parent.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.parent.entry_meta.source.geo.continent_code: - dashed_name: process-parent-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.parent.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.parent.entry_meta.source.geo.continent_name: - dashed_name: process-parent-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.parent.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.parent.entry_meta.source.geo.country_iso_code: - dashed_name: process-parent-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.parent.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.parent.entry_meta.source.geo.country_name: - dashed_name: process-parent-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.parent.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.parent.entry_meta.source.geo.location: - dashed_name: process-parent-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.parent.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.parent.entry_meta.source.geo.name: - dashed_name: process-parent-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.parent.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.parent.entry_meta.source.geo.postal_code: - dashed_name: process-parent-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.parent.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.parent.entry_meta.source.geo.region_iso_code: - dashed_name: process-parent-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.parent.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.parent.entry_meta.source.geo.region_name: - dashed_name: process-parent-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.parent.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.parent.entry_meta.source.geo.timezone: - dashed_name: process-parent-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.parent.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.parent.entry_meta.source.ip: - dashed_name: process-parent-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.parent.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.parent.entry_meta.source.mac: - dashed_name: process-parent-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.parent.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.parent.entry_meta.source.nat.ip: - dashed_name: process-parent-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.parent.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.parent.entry_meta.source.nat.port: - dashed_name: process-parent-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.parent.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.parent.entry_meta.source.packets: - dashed_name: process-parent-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.parent.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.parent.entry_meta.source.port: - dashed_name: process-parent-entry-meta-source-port - description: Port of the source. - flat_name: process.parent.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.parent.entry_meta.source.registered_domain: - dashed_name: process-parent-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.parent.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.parent.entry_meta.source.subdomain: - dashed_name: process-parent-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.parent.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.parent.entry_meta.source.top_level_domain: - dashed_name: process-parent-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.parent.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.parent.entry_meta.type: - dashed_name: process-parent-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.parent.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.parent.env_vars: - dashed_name: process-parent-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.parent.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.parent.executable: - dashed_name: process-parent-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.parent.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.parent.exit_code: - dashed_name: process-parent-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.parent.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.parent.group.domain: - dashed_name: process-parent-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group.id: - dashed_name: process-parent-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group.name: - dashed_name: process-parent-group-name - description: Name of the group. - flat_name: process.parent.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.args: - dashed_name: process-parent-group-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.parent.group_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.parent.group_leader.args_count: - dashed_name: process-parent-group-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.parent.group_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.parent.group_leader.attested_groups.domain: - dashed_name: process-parent-group-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.attested_groups.id: - dashed_name: process-parent-group-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.attested_groups.name: - dashed_name: process-parent-group-leader-attested-groups-name - description: Name of the group. - flat_name: process.parent.group_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.attested_user.domain: - dashed_name: process-parent-group-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.group_leader.attested_user.email: - dashed_name: process-parent-group-leader-attested-user-email - description: User email address. - flat_name: process.parent.group_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.group_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.group_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.group_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.group_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.group_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.group_leader.attested_user.entity.id: - dashed_name: process-parent-group-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.group_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.group_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.group_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.group_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.group_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.group_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.group_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.group_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.group_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.group_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.group_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.group_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.group_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.group_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.group_leader.attested_user.full_name: - dashed_name: process-parent-group-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.group_leader.attested_user.group.domain: - dashed_name: process-parent-group-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.attested_user.group.id: - dashed_name: process-parent-group-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.attested_user.group.name: - dashed_name: process-parent-group-leader-attested-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.attested_user.hash: - dashed_name: process-parent-group-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.group_leader.attested_user.id: - dashed_name: process-parent-group-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.group_leader.attested_user.name: - dashed_name: process-parent-group-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.group_leader.attested_user.risk.calculated_level: - dashed_name: process-parent-group-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.group_leader.attested_user.risk.calculated_score: - dashed_name: process-parent-group-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.group_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.group_leader.attested_user.risk.static_level: - dashed_name: process-parent-group-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.group_leader.attested_user.risk.static_score: - dashed_name: process-parent-group-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.group_leader.attested_user.risk.static_score_norm: - dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.group_leader.attested_user.roles: - dashed_name: process-parent-group-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.code_signature.digest_algorithm: - dashed_name: process-parent-group-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.parent.group_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.parent.group_leader.code_signature.exists: - dashed_name: process-parent-group-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.parent.group_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.parent.group_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.parent.group_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.parent.group_leader.code_signature.signing_id: - dashed_name: process-parent-group-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.parent.group_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.parent.group_leader.code_signature.status: - dashed_name: process-parent-group-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.parent.group_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.parent.group_leader.code_signature.subject_name: - dashed_name: process-parent-group-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.parent.group_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.parent.group_leader.code_signature.team_id: - dashed_name: process-parent-group-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.parent.group_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.parent.group_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.parent.group_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.parent.group_leader.code_signature.timestamp: - dashed_name: process-parent-group-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.parent.group_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.parent.group_leader.code_signature.trusted: - dashed_name: process-parent-group-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.parent.group_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.parent.group_leader.code_signature.valid: - dashed_name: process-parent-group-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.parent.group_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.parent.group_leader.command_line: - dashed_name: process-parent-group-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.parent.group_leader.command_line - level: extended - multi_fields: - - flat_name: process.parent.group_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.parent.group_leader.elf.architecture: - dashed_name: process-parent-group-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.parent.group_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.parent.group_leader.elf.byte_order: - dashed_name: process-parent-group-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.parent.group_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.parent.group_leader.elf.cpu_type: - dashed_name: process-parent-group-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.parent.group_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.parent.group_leader.elf.creation_date: - dashed_name: process-parent-group-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.parent.group_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.parent.group_leader.elf.exports: - dashed_name: process-parent-group-leader-elf-exports - description: List of exported element names and types. - flat_name: process.parent.group_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.parent.group_leader.elf.go_import_hash: - dashed_name: process-parent-group-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.group_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.parent.group_leader.elf.go_imports: - dashed_name: process-parent-group-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.group_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.parent.group_leader.elf.go_imports_names_entropy: - dashed_name: process-parent-group-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.group_leader.elf.go_imports_names_var_entropy: - dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.group_leader.elf.go_stripped: - dashed_name: process-parent-group-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.group_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.group_leader.elf.header.abi_version: - dashed_name: process-parent-group-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.parent.group_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.parent.group_leader.elf.header.class: - dashed_name: process-parent-group-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.parent.group_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.parent.group_leader.elf.header.data: - dashed_name: process-parent-group-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.parent.group_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.parent.group_leader.elf.header.entrypoint: - dashed_name: process-parent-group-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.parent.group_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.parent.group_leader.elf.header.object_version: - dashed_name: process-parent-group-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.parent.group_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.parent.group_leader.elf.header.os_abi: - dashed_name: process-parent-group-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.parent.group_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.parent.group_leader.elf.header.type: - dashed_name: process-parent-group-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.parent.group_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.parent.group_leader.elf.header.version: - dashed_name: process-parent-group-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.parent.group_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.parent.group_leader.elf.import_hash: - dashed_name: process-parent-group-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.group_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.parent.group_leader.elf.imports: - dashed_name: process-parent-group-leader-elf-imports - description: List of imported element names and types. - flat_name: process.parent.group_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.parent.group_leader.elf.imports_names_entropy: - dashed_name: process-parent-group-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.group_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.group_leader.elf.imports_names_var_entropy: - dashed_name: process-parent-group-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.group_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.group_leader.elf.sections: - dashed_name: process-parent-group-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.parent.group_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.parent.group_leader.elf.sections.chi2: - dashed_name: process-parent-group-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.parent.group_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.parent.group_leader.elf.sections.entropy: - dashed_name: process-parent-group-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.parent.group_leader.elf.sections.flags: - dashed_name: process-parent-group-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.parent.group_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.parent.group_leader.elf.sections.name: - dashed_name: process-parent-group-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.parent.group_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.parent.group_leader.elf.sections.physical_offset: - dashed_name: process-parent-group-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.parent.group_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.parent.group_leader.elf.sections.physical_size: - dashed_name: process-parent-group-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.parent.group_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.parent.group_leader.elf.sections.type: - dashed_name: process-parent-group-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.parent.group_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.parent.group_leader.elf.sections.var_entropy: - dashed_name: process-parent-group-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.group_leader.elf.sections.virtual_address: - dashed_name: process-parent-group-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.parent.group_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.parent.group_leader.elf.sections.virtual_size: - dashed_name: process-parent-group-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.parent.group_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.parent.group_leader.elf.segments: - dashed_name: process-parent-group-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.parent.group_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.parent.group_leader.elf.segments.sections: - dashed_name: process-parent-group-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.parent.group_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.parent.group_leader.elf.segments.type: - dashed_name: process-parent-group-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.parent.group_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.parent.group_leader.elf.shared_libraries: - dashed_name: process-parent-group-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.parent.group_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.parent.group_leader.elf.telfhash: - dashed_name: process-parent-group-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.parent.group_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.parent.group_leader.end: - dashed_name: process-parent-group-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.group_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.parent.group_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.parent.group_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.parent.group_leader.entity_id: - dashed_name: process-parent-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.parent.group_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.parent.group_leader.entry_meta.source.address: - dashed_name: process-parent-group-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.parent.group_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.parent.group_leader.entry_meta.source.as.number: - dashed_name: process-parent-group-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.parent.group_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.parent.group_leader.entry_meta.source.as.organization.name: - dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.parent.group_leader.entry_meta.source.bytes: - dashed_name: process-parent-group-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.parent.group_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.parent.group_leader.entry_meta.source.domain: - dashed_name: process-parent-group-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.parent.group_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.parent.group_leader.entry_meta.source.geo.city_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.parent.group_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.parent.group_leader.entry_meta.source.geo.continent_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.parent.group_leader.entry_meta.source.geo.continent_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.parent.group_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.parent.group_leader.entry_meta.source.geo.country_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.parent.group_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.parent.group_leader.entry_meta.source.geo.location: - dashed_name: process-parent-group-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.parent.group_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.parent.group_leader.entry_meta.source.geo.name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.parent.group_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.parent.group_leader.entry_meta.source.geo.postal_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.parent.group_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.parent.group_leader.entry_meta.source.geo.region_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.parent.group_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.parent.group_leader.entry_meta.source.geo.timezone: - dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.parent.group_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.parent.group_leader.entry_meta.source.ip: - dashed_name: process-parent-group-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.parent.group_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.parent.group_leader.entry_meta.source.mac: - dashed_name: process-parent-group-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.parent.group_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.parent.group_leader.entry_meta.source.nat.ip: - dashed_name: process-parent-group-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.parent.group_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.parent.group_leader.entry_meta.source.nat.port: - dashed_name: process-parent-group-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.parent.group_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.parent.group_leader.entry_meta.source.packets: - dashed_name: process-parent-group-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.parent.group_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.parent.group_leader.entry_meta.source.port: - dashed_name: process-parent-group-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.parent.group_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.parent.group_leader.entry_meta.source.registered_domain: - dashed_name: process-parent-group-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.parent.group_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.parent.group_leader.entry_meta.source.subdomain: - dashed_name: process-parent-group-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.parent.group_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.parent.group_leader.entry_meta.source.top_level_domain: - dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.parent.group_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.parent.group_leader.entry_meta.type: - dashed_name: process-parent-group-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.parent.group_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.parent.group_leader.env_vars: - dashed_name: process-parent-group-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.parent.group_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.executable: - dashed_name: process-parent-group-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.parent.group_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.parent.group_leader.exit_code: - dashed_name: process-parent-group-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.parent.group_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.parent.group_leader.group.domain: - dashed_name: process-parent-group-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.group.id: - dashed_name: process-parent-group-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.group.name: - dashed_name: process-parent-group-leader-group-name - description: Name of the group. - flat_name: process.parent.group_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.parent.group_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.parent.group_leader.hash.md5: - dashed_name: process-parent-group-leader-hash-md5 - description: MD5 hash. - flat_name: process.parent.group_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.parent.group_leader.hash.sha1: - dashed_name: process-parent-group-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.parent.group_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.parent.group_leader.hash.sha256: - dashed_name: process-parent-group-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.parent.group_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.parent.group_leader.hash.sha384: - dashed_name: process-parent-group-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.parent.group_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.parent.group_leader.hash.sha512: - dashed_name: process-parent-group-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.parent.group_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.parent.group_leader.hash.ssdeep: - dashed_name: process-parent-group-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.parent.group_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.parent.group_leader.hash.tlsh: - dashed_name: process-parent-group-leader-hash-tlsh - description: TLSH hash. - flat_name: process.parent.group_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.parent.group_leader.interactive: - dashed_name: process-parent-group-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.parent.group_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.parent.group_leader.io: - dashed_name: process-parent-group-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.parent.group_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.parent.group_leader.io.bytes_skipped: - dashed_name: process-parent-group-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.parent.group_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.parent.group_leader.io.bytes_skipped.length: - dashed_name: process-parent-group-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.parent.group_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.parent.group_leader.io.bytes_skipped.offset: - dashed_name: process-parent-group-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.parent.group_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.parent.group_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.parent.group_leader.io.text: - dashed_name: process-parent-group-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.parent.group_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.parent.group_leader.io.total_bytes_captured: - dashed_name: process-parent-group-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.parent.group_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.parent.group_leader.io.total_bytes_skipped: - dashed_name: process-parent-group-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.parent.group_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.parent.group_leader.io.type: - dashed_name: process-parent-group-leader-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.parent.group_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.parent.group_leader.macho.go_import_hash: - dashed_name: process-parent-group-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.group_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.parent.group_leader.macho.go_imports: - dashed_name: process-parent-group-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.group_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.parent.group_leader.macho.go_imports_names_entropy: - dashed_name: process-parent-group-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.group_leader.macho.go_imports_names_var_entropy: - dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.group_leader.macho.go_stripped: - dashed_name: process-parent-group-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.group_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.group_leader.macho.import_hash: - dashed_name: process-parent-group-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.group_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.parent.group_leader.macho.imports: - dashed_name: process-parent-group-leader-macho-imports - description: List of imported element names and types. - flat_name: process.parent.group_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.parent.group_leader.macho.imports_names_entropy: - dashed_name: process-parent-group-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.group_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.group_leader.macho.imports_names_var_entropy: - dashed_name: process-parent-group-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.group_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.group_leader.macho.sections: - dashed_name: process-parent-group-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.parent.group_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.parent.group_leader.macho.sections.entropy: - dashed_name: process-parent-group-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.parent.group_leader.macho.sections.name: - dashed_name: process-parent-group-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.parent.group_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.parent.group_leader.macho.sections.physical_size: - dashed_name: process-parent-group-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.parent.group_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.parent.group_leader.macho.sections.var_entropy: - dashed_name: process-parent-group-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.group_leader.macho.sections.virtual_size: - dashed_name: process-parent-group-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.group_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.parent.group_leader.macho.symhash: - dashed_name: process-parent-group-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.parent.group_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.parent.group_leader.name: - dashed_name: process-parent-group-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.parent.group_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.parent.group_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.parent.group_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.parent.group_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.parent.group_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.parent.group_leader.pe.architecture: - dashed_name: process-parent-group-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.parent.group_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.parent.group_leader.pe.company: - dashed_name: process-parent-group-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.parent.group_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.parent.group_leader.pe.description: - dashed_name: process-parent-group-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.group_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.parent.group_leader.pe.file_version: - dashed_name: process-parent-group-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.group_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.parent.group_leader.pe.go_import_hash: - dashed_name: process-parent-group-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.group_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.parent.group_leader.pe.go_imports: - dashed_name: process-parent-group-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.group_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.parent.group_leader.pe.go_imports_names_entropy: - dashed_name: process-parent-group-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.group_leader.pe.go_imports_names_var_entropy: - dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.group_leader.pe.go_stripped: - dashed_name: process-parent-group-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.group_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.group_leader.pe.imphash: - dashed_name: process-parent-group-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.group_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.parent.group_leader.pe.import_hash: - dashed_name: process-parent-group-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.group_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.parent.group_leader.pe.imports: - dashed_name: process-parent-group-leader-pe-imports - description: List of imported element names and types. - flat_name: process.parent.group_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.parent.group_leader.pe.imports_names_entropy: - dashed_name: process-parent-group-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.group_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.group_leader.pe.imports_names_var_entropy: - dashed_name: process-parent-group-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.group_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.group_leader.pe.original_file_name: - dashed_name: process-parent-group-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.parent.group_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.parent.group_leader.pe.pehash: - dashed_name: process-parent-group-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.parent.group_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.parent.group_leader.pe.product: - dashed_name: process-parent-group-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.parent.group_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.parent.group_leader.pe.sections: - dashed_name: process-parent-group-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.parent.group_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.parent.group_leader.pe.sections.entropy: - dashed_name: process-parent-group-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.parent.group_leader.pe.sections.name: - dashed_name: process-parent-group-leader-pe-sections-name - description: PE Section List name. - flat_name: process.parent.group_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.parent.group_leader.pe.sections.physical_size: - dashed_name: process-parent-group-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.parent.group_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.parent.group_leader.pe.sections.var_entropy: - dashed_name: process-parent-group-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.group_leader.pe.sections.virtual_size: - dashed_name: process-parent-group-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.group_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.parent.group_leader.pid: - dashed_name: process-parent-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.parent.group_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.parent.group_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.parent.group_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.parent.group_leader.real_group.domain: - dashed_name: process-parent-group-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.real_group.id: - dashed_name: process-parent-group-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.real_group.name: - dashed_name: process-parent-group-leader-real-group-name - description: Name of the group. - flat_name: process.parent.group_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.real_user.domain: - dashed_name: process-parent-group-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.group_leader.real_user.email: - dashed_name: process-parent-group-leader-real-user-email - description: User email address. - flat_name: process.parent.group_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.group_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.group_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.group_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.group_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.group_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.group_leader.real_user.entity.id: - dashed_name: process-parent-group-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.group_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.group_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.group_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.group_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.group_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.group_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.group_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.group_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.group_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.group_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.group_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.group_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.group_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.group_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.group_leader.real_user.full_name: - dashed_name: process-parent-group-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.group_leader.real_user.group.domain: - dashed_name: process-parent-group-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.real_user.group.id: - dashed_name: process-parent-group-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.real_user.group.name: - dashed_name: process-parent-group-leader-real-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.real_user.hash: - dashed_name: process-parent-group-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.group_leader.real_user.id: - dashed_name: process-parent-group-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.group_leader.real_user.name: - dashed_name: process-parent-group-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.group_leader.real_user.risk.calculated_level: - dashed_name: process-parent-group-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.group_leader.real_user.risk.calculated_score: - dashed_name: process-parent-group-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.group_leader.real_user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.group_leader.real_user.risk.static_level: - dashed_name: process-parent-group-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.group_leader.real_user.risk.static_score: - dashed_name: process-parent-group-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.group_leader.real_user.risk.static_score_norm: - dashed_name: process-parent-group-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.group_leader.real_user.roles: - dashed_name: process-parent-group-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.same_as_process: - dashed_name: process-parent-group-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.parent.group_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.parent.group_leader.saved_group.domain: - dashed_name: process-parent-group-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.saved_group.id: - dashed_name: process-parent-group-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.saved_group.name: - dashed_name: process-parent-group-leader-saved-group-name - description: Name of the group. - flat_name: process.parent.group_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.saved_user.domain: - dashed_name: process-parent-group-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.group_leader.saved_user.email: - dashed_name: process-parent-group-leader-saved-user-email - description: User email address. - flat_name: process.parent.group_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.group_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.group_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.group_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.group_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.group_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.group_leader.saved_user.entity.id: - dashed_name: process-parent-group-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.group_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.group_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.group_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.group_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.group_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.group_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.group_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.group_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.group_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.group_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.group_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.group_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.group_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.group_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.group_leader.saved_user.full_name: - dashed_name: process-parent-group-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.group_leader.saved_user.group.domain: - dashed_name: process-parent-group-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.saved_user.group.id: - dashed_name: process-parent-group-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.saved_user.group.name: - dashed_name: process-parent-group-leader-saved-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.saved_user.hash: - dashed_name: process-parent-group-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.group_leader.saved_user.id: - dashed_name: process-parent-group-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.group_leader.saved_user.name: - dashed_name: process-parent-group-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.group_leader.saved_user.risk.calculated_level: - dashed_name: process-parent-group-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.group_leader.saved_user.risk.calculated_score: - dashed_name: process-parent-group-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.group_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.group_leader.saved_user.risk.static_level: - dashed_name: process-parent-group-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.group_leader.saved_user.risk.static_score: - dashed_name: process-parent-group-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.group_leader.saved_user.risk.static_score_norm: - dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.group_leader.saved_user.roles: - dashed_name: process-parent-group-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.start: - dashed_name: process-parent-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.group_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.parent.group_leader.supplemental_groups.domain: - dashed_name: process-parent-group-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.supplemental_groups.id: - dashed_name: process-parent-group-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.supplemental_groups.name: - dashed_name: process-parent-group-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.parent.group_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.thread.capabilities.effective: - dashed_name: process-parent-group-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.group_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.thread.capabilities.permitted: - dashed_name: process-parent-group-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.group_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.thread.id: - dashed_name: process-parent-group-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.parent.group_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.parent.group_leader.thread.name: - dashed_name: process-parent-group-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.parent.group_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.parent.group_leader.title: - dashed_name: process-parent-group-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.parent.group_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.parent.group_leader.tty: - dashed_name: process-parent-group-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.parent.group_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.parent.group_leader.tty.char_device.major: - dashed_name: process-parent-group-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.parent.group_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.parent.group_leader.tty.char_device.minor: - dashed_name: process-parent-group-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.parent.group_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.parent.group_leader.tty.columns: - dashed_name: process-parent-group-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.parent.group_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.parent.group_leader.tty.rows: - dashed_name: process-parent-group-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.parent.group_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.parent.group_leader.uptime: - dashed_name: process-parent-group-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.parent.group_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.parent.group_leader.user.domain: - dashed_name: process-parent-group-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.group_leader.user.email: - dashed_name: process-parent-group-leader-user-email - description: User email address. - flat_name: process.parent.group_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.group_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.group_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.group_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.group_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.group_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.group_leader.user.entity.id: - dashed_name: process-parent-group-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.group_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.group_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.group_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.group_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.group_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.group_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.group_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.group_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.group_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.group_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.group_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.group_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.group_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.group_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.group_leader.user.full_name: - dashed_name: process-parent-group-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.group_leader.user.group.domain: - dashed_name: process-parent-group-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.group_leader.user.group.id: - dashed_name: process-parent-group-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.group_leader.user.group.name: - dashed_name: process-parent-group-leader-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.group_leader.user.hash: - dashed_name: process-parent-group-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.group_leader.user.id: - dashed_name: process-parent-group-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.group_leader.user.name: - dashed_name: process-parent-group-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.group_leader.user.risk.calculated_level: - dashed_name: process-parent-group-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.group_leader.user.risk.calculated_score: - dashed_name: process-parent-group-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.group_leader.user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.group_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.group_leader.user.risk.static_level: - dashed_name: process-parent-group-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.group_leader.user.risk.static_score: - dashed_name: process-parent-group-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.group_leader.user.risk.static_score_norm: - dashed_name: process-parent-group-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.group_leader.user.roles: - dashed_name: process-parent-group-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.group_leader.vpid: - dashed_name: process-parent-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.parent.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.parent.group_leader.working_directory: - dashed_name: process-parent-group-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.parent.group_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.parent.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-parent-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.parent.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.parent.hash.md5: - dashed_name: process-parent-hash-md5 - description: MD5 hash. - flat_name: process.parent.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.parent.hash.sha1: - dashed_name: process-parent-hash-sha1 - description: SHA1 hash. - flat_name: process.parent.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.parent.hash.sha256: - dashed_name: process-parent-hash-sha256 - description: SHA256 hash. - flat_name: process.parent.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.parent.hash.sha384: - dashed_name: process-parent-hash-sha384 - description: SHA384 hash. - flat_name: process.parent.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.parent.hash.sha512: - dashed_name: process-parent-hash-sha512 - description: SHA512 hash. - flat_name: process.parent.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.parent.hash.ssdeep: - dashed_name: process-parent-hash-ssdeep - description: SSDEEP hash. - flat_name: process.parent.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.parent.hash.tlsh: - dashed_name: process-parent-hash-tlsh - description: TLSH hash. - flat_name: process.parent.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.parent.interactive: - dashed_name: process-parent-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.parent.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.parent.io: - dashed_name: process-parent-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.parent.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.parent.io.bytes_skipped: - dashed_name: process-parent-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.parent.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.parent.io.bytes_skipped.length: - dashed_name: process-parent-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.parent.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.parent.io.bytes_skipped.offset: - dashed_name: process-parent-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.parent.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.parent.io.max_bytes_per_process_exceeded: - dashed_name: process-parent-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.parent.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.parent.io.text: - dashed_name: process-parent-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.parent.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.parent.io.total_bytes_captured: - dashed_name: process-parent-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.parent.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.parent.io.total_bytes_skipped: - dashed_name: process-parent-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.parent.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.parent.io.type: - dashed_name: process-parent-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.parent.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.parent.macho.go_import_hash: - dashed_name: process-parent-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.parent.macho.go_imports: - dashed_name: process-parent-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.parent.macho.go_imports_names_entropy: - dashed_name: process-parent-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.macho.go_imports_names_var_entropy: - dashed_name: process-parent-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.macho.go_stripped: - dashed_name: process-parent-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.macho.import_hash: - dashed_name: process-parent-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.parent.macho.imports: - dashed_name: process-parent-macho-imports - description: List of imported element names and types. - flat_name: process.parent.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.parent.macho.imports_names_entropy: - dashed_name: process-parent-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.macho.imports_names_var_entropy: - dashed_name: process-parent-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.macho.sections: - dashed_name: process-parent-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.parent.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.parent.macho.sections.entropy: - dashed_name: process-parent-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.parent.macho.sections.name: - dashed_name: process-parent-macho-sections-name - description: Mach-O Section List name. - flat_name: process.parent.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.parent.macho.sections.physical_size: - dashed_name: process-parent-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.parent.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.parent.macho.sections.var_entropy: - dashed_name: process-parent-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.macho.sections.virtual_size: - dashed_name: process-parent-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.parent.macho.symhash: - dashed_name: process-parent-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.parent.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.parent.name: - dashed_name: process-parent-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.parent.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.parent.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.parent.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.parent.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.parent.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.parent.pe.architecture: - dashed_name: process-parent-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.parent.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.parent.pe.company: - dashed_name: process-parent-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.parent.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.parent.pe.description: - dashed_name: process-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.parent.pe.file_version: - dashed_name: process-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.parent.pe.go_import_hash: - dashed_name: process-parent-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.parent.pe.go_imports: - dashed_name: process-parent-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.parent.pe.go_imports_names_entropy: - dashed_name: process-parent-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.parent.pe.go_imports_names_var_entropy: - dashed_name: process-parent-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.parent.pe.go_stripped: - dashed_name: process-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.parent.pe.imphash: - dashed_name: process-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.parent.pe.import_hash: - dashed_name: process-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.parent.pe.imports: - dashed_name: process-parent-pe-imports - description: List of imported element names and types. - flat_name: process.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.parent.pe.imports_names_entropy: - dashed_name: process-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.parent.pe.imports_names_var_entropy: - dashed_name: process-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.parent.pe.original_file_name: - dashed_name: process-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.parent.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.parent.pe.pehash: - dashed_name: process-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.parent.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.parent.pe.product: - dashed_name: process-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.parent.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.parent.pe.sections: - dashed_name: process-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.parent.pe.sections.entropy: - dashed_name: process-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.parent.pe.sections.name: - dashed_name: process-parent-pe-sections-name - description: PE Section List name. - flat_name: process.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.parent.pe.sections.physical_size: - dashed_name: process-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.parent.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.parent.pe.sections.var_entropy: - dashed_name: process-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.parent.pe.sections.virtual_size: - dashed_name: process-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.parent.pid: - dashed_name: process-parent-pid - description: Process id. - example: 4242 - flat_name: process.parent.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.parent.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-parent-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.parent.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.parent.real_group.domain: - dashed_name: process-parent-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.real_group.id: - dashed_name: process-parent-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.real_group.name: - dashed_name: process-parent-real-group-name - description: Name of the group. - flat_name: process.parent.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.real_user.domain: - dashed_name: process-parent-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.real_user.email: - dashed_name: process-parent-real-user-email - description: User email address. - flat_name: process.parent.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.real_user.entity.id: - dashed_name: process-parent-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.real_user.full_name: - dashed_name: process-parent-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.real_user.group.domain: - dashed_name: process-parent-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.real_user.group.id: - dashed_name: process-parent-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.real_user.group.name: - dashed_name: process-parent-real-user-group-name - description: Name of the group. - flat_name: process.parent.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.real_user.hash: - dashed_name: process-parent-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.real_user.id: - dashed_name: process-parent-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.real_user.name: - dashed_name: process-parent-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.real_user.risk.calculated_level: - dashed_name: process-parent-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.real_user.risk.calculated_score: - dashed_name: process-parent-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.real_user.risk.calculated_score_norm: - dashed_name: process-parent-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.real_user.risk.static_level: - dashed_name: process-parent-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.real_user.risk.static_score: - dashed_name: process-parent-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.real_user.risk.static_score_norm: - dashed_name: process-parent-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.real_user.roles: - dashed_name: process-parent-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.same_as_process: - dashed_name: process-parent-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.parent.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.parent.saved_group.domain: - dashed_name: process-parent-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.saved_group.id: - dashed_name: process-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.saved_group.name: - dashed_name: process-parent-saved-group-name - description: Name of the group. - flat_name: process.parent.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.saved_user.domain: - dashed_name: process-parent-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.saved_user.email: - dashed_name: process-parent-saved-user-email - description: User email address. - flat_name: process.parent.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.saved_user.entity.id: - dashed_name: process-parent-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.saved_user.full_name: - dashed_name: process-parent-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.saved_user.group.domain: - dashed_name: process-parent-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.saved_user.group.id: - dashed_name: process-parent-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.saved_user.group.name: - dashed_name: process-parent-saved-user-group-name - description: Name of the group. - flat_name: process.parent.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.saved_user.hash: - dashed_name: process-parent-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.saved_user.id: - dashed_name: process-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.saved_user.name: - dashed_name: process-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.saved_user.risk.calculated_level: - dashed_name: process-parent-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.saved_user.risk.calculated_score: - dashed_name: process-parent-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.saved_user.risk.calculated_score_norm: - dashed_name: process-parent-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.saved_user.risk.static_level: - dashed_name: process-parent-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.saved_user.risk.static_score: - dashed_name: process-parent-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.saved_user.risk.static_score_norm: - dashed_name: process-parent-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.saved_user.roles: - dashed_name: process-parent-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.start: - dashed_name: process-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.parent.supplemental_groups.domain: - dashed_name: process-parent-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.supplemental_groups.id: - dashed_name: process-parent-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.supplemental_groups.name: - dashed_name: process-parent-supplemental-groups-name - description: Name of the group. - flat_name: process.parent.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.thread.capabilities.effective: - dashed_name: process-parent-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.parent.thread.capabilities.permitted: - dashed_name: process-parent-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.parent.thread.id: - dashed_name: process-parent-thread-id - description: Thread ID. - example: 4242 - flat_name: process.parent.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.parent.thread.name: - dashed_name: process-parent-thread-name - description: Thread name. - example: thread-0 - flat_name: process.parent.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.parent.title: - dashed_name: process-parent-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.parent.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.parent.tty: - dashed_name: process-parent-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.parent.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.parent.tty.char_device.major: - dashed_name: process-parent-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.parent.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.parent.tty.char_device.minor: - dashed_name: process-parent-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.parent.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.parent.tty.columns: - dashed_name: process-parent-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.parent.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.parent.tty.rows: - dashed_name: process-parent-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.parent.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.parent.uptime: - dashed_name: process-parent-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.parent.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.parent.user.domain: - dashed_name: process-parent-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.parent.user.email: - dashed_name: process-parent-user-email - description: User email address. - flat_name: process.parent.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.parent.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.parent.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.parent.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.parent.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.parent.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.parent.user.entity.id: - dashed_name: process-parent-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.parent.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.parent.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.parent.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.parent.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.parent.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.parent.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.parent.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.parent.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.parent.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.parent.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.parent.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.parent.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.parent.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.parent.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.parent.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.parent.user.full_name: - dashed_name: process-parent-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.parent.user.group.domain: - dashed_name: process-parent-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.parent.user.group.id: - dashed_name: process-parent-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.parent.user.group.name: - dashed_name: process-parent-user-group-name - description: Name of the group. - flat_name: process.parent.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.parent.user.hash: - dashed_name: process-parent-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.parent.user.id: - dashed_name: process-parent-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.parent.user.name: - dashed_name: process-parent-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.parent.user.risk.calculated_level: - dashed_name: process-parent-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.parent.user.risk.calculated_score: - dashed_name: process-parent-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.parent.user.risk.calculated_score_norm: - dashed_name: process-parent-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.parent.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.parent.user.risk.static_level: - dashed_name: process-parent-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.parent.user.risk.static_score: - dashed_name: process-parent-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.parent.user.risk.static_score_norm: - dashed_name: process-parent-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.parent.user.roles: - dashed_name: process-parent-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.parent.vpid: - dashed_name: process-parent-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.parent.working_directory: - dashed_name: process-parent-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.parent.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.pe.architecture: - dashed_name: process-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.pe.company: - dashed_name: process-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.pe.description: - dashed_name: process-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.pe.file_version: - dashed_name: process-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.pe.go_import_hash: - dashed_name: process-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.pe.go_imports: - dashed_name: process-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.pe.go_imports_names_entropy: - dashed_name: process-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.pe.go_imports_names_var_entropy: - dashed_name: process-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.pe.go_stripped: - dashed_name: process-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.pe.imphash: - dashed_name: process-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.pe.import_hash: - dashed_name: process-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.pe.imports: - dashed_name: process-pe-imports - description: List of imported element names and types. - flat_name: process.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.pe.imports_names_entropy: - dashed_name: process-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.pe.imports_names_var_entropy: - dashed_name: process-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.pe.original_file_name: - dashed_name: process-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.pe.pehash: - dashed_name: process-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.pe.product: - dashed_name: process-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.pe.sections: - dashed_name: process-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.pe.sections.entropy: - dashed_name: process-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.pe.sections.name: - dashed_name: process-pe-sections-name - description: PE Section List name. - flat_name: process.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.pe.sections.physical_size: - dashed_name: process-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.pe.sections.var_entropy: - dashed_name: process-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.pe.sections.virtual_size: - dashed_name: process-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.pid: - dashed_name: process-pid - description: Process id. - example: 4242 - flat_name: process.pid - format: string - level: core - name: pid - normalize: [] - otel: - - relation: match - short: Process id. - type: long -process.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.platform_binary - level: extended - name: platform_binary - normalize: [] - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.previous.args: - dashed_name: process-previous-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.previous.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.previous.args_count: - dashed_name: process-previous-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.previous.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.previous.attested_groups.domain: - dashed_name: process-previous-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.attested_groups.id: - dashed_name: process-previous-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.attested_groups.name: - dashed_name: process-previous-attested-groups-name - description: Name of the group. - flat_name: process.previous.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.attested_user.domain: - dashed_name: process-previous-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.previous.attested_user.email: - dashed_name: process-previous-attested-user-email - description: User email address. - flat_name: process.previous.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.previous.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.previous.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.previous.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.previous.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.previous.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.previous.attested_user.entity.id: - dashed_name: process-previous-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.previous.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.previous.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.previous.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.previous.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.previous.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.previous.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.previous.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.previous.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.previous.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.previous.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.previous.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.previous.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.previous.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.previous.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.previous.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.previous.attested_user.full_name: - dashed_name: process-previous-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.previous.attested_user.group.domain: - dashed_name: process-previous-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.attested_user.group.id: - dashed_name: process-previous-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.attested_user.group.name: - dashed_name: process-previous-attested-user-group-name - description: Name of the group. - flat_name: process.previous.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.attested_user.hash: - dashed_name: process-previous-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.previous.attested_user.id: - dashed_name: process-previous-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.previous.attested_user.name: - dashed_name: process-previous-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.previous.attested_user.risk.calculated_level: - dashed_name: process-previous-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.previous.attested_user.risk.calculated_score: - dashed_name: process-previous-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.previous.attested_user.risk.calculated_score_norm: - dashed_name: process-previous-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.previous.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.previous.attested_user.risk.static_level: - dashed_name: process-previous-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.previous.attested_user.risk.static_score: - dashed_name: process-previous-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.previous.attested_user.risk.static_score_norm: - dashed_name: process-previous-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.previous.attested_user.roles: - dashed_name: process-previous-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.previous.code_signature.digest_algorithm: - dashed_name: process-previous-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.previous.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.previous.code_signature.exists: - dashed_name: process-previous-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.previous.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.previous.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-previous-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.previous.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.previous.code_signature.signing_id: - dashed_name: process-previous-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.previous.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.previous.code_signature.status: - dashed_name: process-previous-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.previous.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.previous.code_signature.subject_name: - dashed_name: process-previous-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.previous.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.previous.code_signature.team_id: - dashed_name: process-previous-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.previous.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.previous.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-previous-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.previous.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.previous.code_signature.timestamp: - dashed_name: process-previous-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.previous.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.previous.code_signature.trusted: - dashed_name: process-previous-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.previous.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.previous.code_signature.valid: - dashed_name: process-previous-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.previous.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.previous.command_line: - dashed_name: process-previous-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.previous.command_line - level: extended - multi_fields: - - flat_name: process.previous.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.previous.elf.architecture: - dashed_name: process-previous-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.previous.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.previous.elf.byte_order: - dashed_name: process-previous-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.previous.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.previous.elf.cpu_type: - dashed_name: process-previous-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.previous.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.previous.elf.creation_date: - dashed_name: process-previous-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.previous.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.previous.elf.exports: - dashed_name: process-previous-elf-exports - description: List of exported element names and types. - flat_name: process.previous.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.previous.elf.go_import_hash: - dashed_name: process-previous-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.previous.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.previous.elf.go_imports: - dashed_name: process-previous-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.previous.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.previous.elf.go_imports_names_entropy: - dashed_name: process-previous-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.previous.elf.go_imports_names_var_entropy: - dashed_name: process-previous-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.previous.elf.go_stripped: - dashed_name: process-previous-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.previous.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.previous.elf.header.abi_version: - dashed_name: process-previous-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.previous.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.previous.elf.header.class: - dashed_name: process-previous-elf-header-class - description: Header class of the ELF file. - flat_name: process.previous.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.previous.elf.header.data: - dashed_name: process-previous-elf-header-data - description: Data table of the ELF header. - flat_name: process.previous.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.previous.elf.header.entrypoint: - dashed_name: process-previous-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.previous.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.previous.elf.header.object_version: - dashed_name: process-previous-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.previous.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.previous.elf.header.os_abi: - dashed_name: process-previous-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.previous.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.previous.elf.header.type: - dashed_name: process-previous-elf-header-type - description: Header type of the ELF file. - flat_name: process.previous.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.previous.elf.header.version: - dashed_name: process-previous-elf-header-version - description: Version of the ELF header. - flat_name: process.previous.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.previous.elf.import_hash: - dashed_name: process-previous-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.previous.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.previous.elf.imports: - dashed_name: process-previous-elf-imports - description: List of imported element names and types. - flat_name: process.previous.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.previous.elf.imports_names_entropy: - dashed_name: process-previous-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.previous.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.previous.elf.imports_names_var_entropy: - dashed_name: process-previous-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.previous.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.previous.elf.sections: - dashed_name: process-previous-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.previous.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.previous.elf.sections.chi2: - dashed_name: process-previous-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.previous.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.previous.elf.sections.entropy: - dashed_name: process-previous-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.previous.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.previous.elf.sections.flags: - dashed_name: process-previous-elf-sections-flags - description: ELF Section List flags. - flat_name: process.previous.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.previous.elf.sections.name: - dashed_name: process-previous-elf-sections-name - description: ELF Section List name. - flat_name: process.previous.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.previous.elf.sections.physical_offset: - dashed_name: process-previous-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.previous.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.previous.elf.sections.physical_size: - dashed_name: process-previous-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.previous.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.previous.elf.sections.type: - dashed_name: process-previous-elf-sections-type - description: ELF Section List type. - flat_name: process.previous.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.previous.elf.sections.var_entropy: - dashed_name: process-previous-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.previous.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.previous.elf.sections.virtual_address: - dashed_name: process-previous-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.previous.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.previous.elf.sections.virtual_size: - dashed_name: process-previous-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.previous.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.previous.elf.segments: - dashed_name: process-previous-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.previous.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.previous.elf.segments.sections: - dashed_name: process-previous-elf-segments-sections - description: ELF object segment sections. - flat_name: process.previous.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.previous.elf.segments.type: - dashed_name: process-previous-elf-segments-type - description: ELF object segment type. - flat_name: process.previous.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.previous.elf.shared_libraries: - dashed_name: process-previous-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.previous.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.previous.elf.telfhash: - dashed_name: process-previous-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.previous.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.previous.end: - dashed_name: process-previous-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.previous.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.previous.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-previous-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.previous.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.previous.entity_id: - dashed_name: process-previous-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.previous.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.previous.entry_meta.source.address: - dashed_name: process-previous-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.previous.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.previous.entry_meta.source.as.number: - dashed_name: process-previous-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.previous.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.previous.entry_meta.source.as.organization.name: - dashed_name: process-previous-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.previous.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.previous.entry_meta.source.bytes: - dashed_name: process-previous-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.previous.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.previous.entry_meta.source.domain: - dashed_name: process-previous-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.previous.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.previous.entry_meta.source.geo.city_name: - dashed_name: process-previous-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.previous.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.previous.entry_meta.source.geo.continent_code: - dashed_name: process-previous-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.previous.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.previous.entry_meta.source.geo.continent_name: - dashed_name: process-previous-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.previous.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.previous.entry_meta.source.geo.country_iso_code: - dashed_name: process-previous-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.previous.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.previous.entry_meta.source.geo.country_name: - dashed_name: process-previous-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.previous.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.previous.entry_meta.source.geo.location: - dashed_name: process-previous-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.previous.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.previous.entry_meta.source.geo.name: - dashed_name: process-previous-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.previous.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.previous.entry_meta.source.geo.postal_code: - dashed_name: process-previous-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.previous.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.previous.entry_meta.source.geo.region_iso_code: - dashed_name: process-previous-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.previous.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.previous.entry_meta.source.geo.region_name: - dashed_name: process-previous-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.previous.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.previous.entry_meta.source.geo.timezone: - dashed_name: process-previous-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.previous.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.previous.entry_meta.source.ip: - dashed_name: process-previous-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.previous.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.previous.entry_meta.source.mac: - dashed_name: process-previous-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.previous.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.previous.entry_meta.source.nat.ip: - dashed_name: process-previous-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.previous.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.previous.entry_meta.source.nat.port: - dashed_name: process-previous-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.previous.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.previous.entry_meta.source.packets: - dashed_name: process-previous-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.previous.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.previous.entry_meta.source.port: - dashed_name: process-previous-entry-meta-source-port - description: Port of the source. - flat_name: process.previous.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.previous.entry_meta.source.registered_domain: - dashed_name: process-previous-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.previous.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.previous.entry_meta.source.subdomain: - dashed_name: process-previous-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.previous.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.previous.entry_meta.source.top_level_domain: - dashed_name: process-previous-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.previous.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.previous.entry_meta.type: - dashed_name: process-previous-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.previous.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.previous.env_vars: - dashed_name: process-previous-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.previous.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.previous.executable: - dashed_name: process-previous-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.previous.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.previous.exit_code: - dashed_name: process-previous-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.previous.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.previous.group.domain: - dashed_name: process-previous-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.group.id: - dashed_name: process-previous-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.group.name: - dashed_name: process-previous-group-name - description: Name of the group. - flat_name: process.previous.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-previous-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.previous.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.previous.hash.md5: - dashed_name: process-previous-hash-md5 - description: MD5 hash. - flat_name: process.previous.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.previous.hash.sha1: - dashed_name: process-previous-hash-sha1 - description: SHA1 hash. - flat_name: process.previous.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.previous.hash.sha256: - dashed_name: process-previous-hash-sha256 - description: SHA256 hash. - flat_name: process.previous.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.previous.hash.sha384: - dashed_name: process-previous-hash-sha384 - description: SHA384 hash. - flat_name: process.previous.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.previous.hash.sha512: - dashed_name: process-previous-hash-sha512 - description: SHA512 hash. - flat_name: process.previous.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.previous.hash.ssdeep: - dashed_name: process-previous-hash-ssdeep - description: SSDEEP hash. - flat_name: process.previous.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.previous.hash.tlsh: - dashed_name: process-previous-hash-tlsh - description: TLSH hash. - flat_name: process.previous.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.previous.interactive: - dashed_name: process-previous-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.previous.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.previous.io: - dashed_name: process-previous-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.previous.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.previous.io.bytes_skipped: - dashed_name: process-previous-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.previous.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.previous.io.bytes_skipped.length: - dashed_name: process-previous-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.previous.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.previous.io.bytes_skipped.offset: - dashed_name: process-previous-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.previous.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.previous.io.max_bytes_per_process_exceeded: - dashed_name: process-previous-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.previous.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.previous.io.text: - dashed_name: process-previous-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.previous.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.previous.io.total_bytes_captured: - dashed_name: process-previous-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.previous.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.previous.io.total_bytes_skipped: - dashed_name: process-previous-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.previous.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.previous.io.type: - dashed_name: process-previous-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.previous.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.previous.macho.go_import_hash: - dashed_name: process-previous-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.previous.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.previous.macho.go_imports: - dashed_name: process-previous-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.previous.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.previous.macho.go_imports_names_entropy: - dashed_name: process-previous-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.previous.macho.go_imports_names_var_entropy: - dashed_name: process-previous-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.previous.macho.go_stripped: - dashed_name: process-previous-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.previous.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.previous.macho.import_hash: - dashed_name: process-previous-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.previous.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.previous.macho.imports: - dashed_name: process-previous-macho-imports - description: List of imported element names and types. - flat_name: process.previous.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.previous.macho.imports_names_entropy: - dashed_name: process-previous-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.previous.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.previous.macho.imports_names_var_entropy: - dashed_name: process-previous-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.previous.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.previous.macho.sections: - dashed_name: process-previous-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.previous.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.previous.macho.sections.entropy: - dashed_name: process-previous-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.previous.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.previous.macho.sections.name: - dashed_name: process-previous-macho-sections-name - description: Mach-O Section List name. - flat_name: process.previous.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.previous.macho.sections.physical_size: - dashed_name: process-previous-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.previous.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.previous.macho.sections.var_entropy: - dashed_name: process-previous-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.previous.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.previous.macho.sections.virtual_size: - dashed_name: process-previous-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.previous.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.previous.macho.symhash: - dashed_name: process-previous-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.previous.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.previous.name: - dashed_name: process-previous-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.previous.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.previous.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-previous-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.previous.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.previous.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-previous-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.previous.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.previous.pe.architecture: - dashed_name: process-previous-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.previous.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.previous.pe.company: - dashed_name: process-previous-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.previous.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.previous.pe.description: - dashed_name: process-previous-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.previous.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.previous.pe.file_version: - dashed_name: process-previous-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.previous.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.previous.pe.go_import_hash: - dashed_name: process-previous-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.previous.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.previous.pe.go_imports: - dashed_name: process-previous-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.previous.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.previous.pe.go_imports_names_entropy: - dashed_name: process-previous-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.previous.pe.go_imports_names_var_entropy: - dashed_name: process-previous-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.previous.pe.go_stripped: - dashed_name: process-previous-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.previous.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.previous.pe.imphash: - dashed_name: process-previous-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.previous.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.previous.pe.import_hash: - dashed_name: process-previous-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.previous.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.previous.pe.imports: - dashed_name: process-previous-pe-imports - description: List of imported element names and types. - flat_name: process.previous.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.previous.pe.imports_names_entropy: - dashed_name: process-previous-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.previous.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.previous.pe.imports_names_var_entropy: - dashed_name: process-previous-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.previous.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.previous.pe.original_file_name: - dashed_name: process-previous-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.previous.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.previous.pe.pehash: - dashed_name: process-previous-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.previous.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.previous.pe.product: - dashed_name: process-previous-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.previous.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.previous.pe.sections: - dashed_name: process-previous-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.previous.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.previous.pe.sections.entropy: - dashed_name: process-previous-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.previous.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.previous.pe.sections.name: - dashed_name: process-previous-pe-sections-name - description: PE Section List name. - flat_name: process.previous.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.previous.pe.sections.physical_size: - dashed_name: process-previous-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.previous.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.previous.pe.sections.var_entropy: - dashed_name: process-previous-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.previous.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.previous.pe.sections.virtual_size: - dashed_name: process-previous-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.previous.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.previous.pid: - dashed_name: process-previous-pid - description: Process id. - example: 4242 - flat_name: process.previous.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.previous.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-previous-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.previous.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.previous.real_group.domain: - dashed_name: process-previous-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.real_group.id: - dashed_name: process-previous-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.real_group.name: - dashed_name: process-previous-real-group-name - description: Name of the group. - flat_name: process.previous.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.real_user.domain: - dashed_name: process-previous-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.previous.real_user.email: - dashed_name: process-previous-real-user-email - description: User email address. - flat_name: process.previous.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.previous.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.previous.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.previous.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.previous.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.previous.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.previous.real_user.entity.id: - dashed_name: process-previous-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.previous.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.previous.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.previous.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.previous.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.previous.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.previous.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.previous.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.previous.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.previous.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.previous.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.previous.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.previous.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.previous.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.previous.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.previous.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.previous.real_user.full_name: - dashed_name: process-previous-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.previous.real_user.group.domain: - dashed_name: process-previous-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.real_user.group.id: - dashed_name: process-previous-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.real_user.group.name: - dashed_name: process-previous-real-user-group-name - description: Name of the group. - flat_name: process.previous.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.real_user.hash: - dashed_name: process-previous-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.previous.real_user.id: - dashed_name: process-previous-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.previous.real_user.name: - dashed_name: process-previous-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.previous.real_user.risk.calculated_level: - dashed_name: process-previous-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.previous.real_user.risk.calculated_score: - dashed_name: process-previous-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.previous.real_user.risk.calculated_score_norm: - dashed_name: process-previous-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.previous.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.previous.real_user.risk.static_level: - dashed_name: process-previous-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.previous.real_user.risk.static_score: - dashed_name: process-previous-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.previous.real_user.risk.static_score_norm: - dashed_name: process-previous-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.previous.real_user.roles: - dashed_name: process-previous-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.previous.same_as_process: - dashed_name: process-previous-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.previous.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.previous.saved_group.domain: - dashed_name: process-previous-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.saved_group.id: - dashed_name: process-previous-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.saved_group.name: - dashed_name: process-previous-saved-group-name - description: Name of the group. - flat_name: process.previous.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.saved_user.domain: - dashed_name: process-previous-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.previous.saved_user.email: - dashed_name: process-previous-saved-user-email - description: User email address. - flat_name: process.previous.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.previous.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.previous.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.previous.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.previous.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.previous.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.previous.saved_user.entity.id: - dashed_name: process-previous-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.previous.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.previous.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.previous.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.previous.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.previous.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.previous.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.previous.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.previous.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.previous.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.previous.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.previous.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.previous.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.previous.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.previous.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.previous.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.previous.saved_user.full_name: - dashed_name: process-previous-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.previous.saved_user.group.domain: - dashed_name: process-previous-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.saved_user.group.id: - dashed_name: process-previous-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.saved_user.group.name: - dashed_name: process-previous-saved-user-group-name - description: Name of the group. - flat_name: process.previous.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.saved_user.hash: - dashed_name: process-previous-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.previous.saved_user.id: - dashed_name: process-previous-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.previous.saved_user.name: - dashed_name: process-previous-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.previous.saved_user.risk.calculated_level: - dashed_name: process-previous-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.previous.saved_user.risk.calculated_score: - dashed_name: process-previous-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.previous.saved_user.risk.calculated_score_norm: - dashed_name: process-previous-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.previous.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.previous.saved_user.risk.static_level: - dashed_name: process-previous-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.previous.saved_user.risk.static_score: - dashed_name: process-previous-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.previous.saved_user.risk.static_score_norm: - dashed_name: process-previous-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.previous.saved_user.roles: - dashed_name: process-previous-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.previous.start: - dashed_name: process-previous-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.previous.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.previous.supplemental_groups.domain: - dashed_name: process-previous-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.supplemental_groups.id: - dashed_name: process-previous-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.supplemental_groups.name: - dashed_name: process-previous-supplemental-groups-name - description: Name of the group. - flat_name: process.previous.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.thread.capabilities.effective: - dashed_name: process-previous-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.previous.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.previous.thread.capabilities.permitted: - dashed_name: process-previous-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.previous.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.previous.thread.id: - dashed_name: process-previous-thread-id - description: Thread ID. - example: 4242 - flat_name: process.previous.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.previous.thread.name: - dashed_name: process-previous-thread-name - description: Thread name. - example: thread-0 - flat_name: process.previous.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.previous.title: - dashed_name: process-previous-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.previous.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.previous.tty: - dashed_name: process-previous-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.previous.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.previous.tty.char_device.major: - dashed_name: process-previous-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.previous.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.previous.tty.char_device.minor: - dashed_name: process-previous-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.previous.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.previous.tty.columns: - dashed_name: process-previous-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.previous.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.previous.tty.rows: - dashed_name: process-previous-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.previous.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.previous.uptime: - dashed_name: process-previous-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.previous.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.previous.user.domain: - dashed_name: process-previous-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.previous.user.email: - dashed_name: process-previous-user-email - description: User email address. - flat_name: process.previous.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.previous.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.previous.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.previous.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.previous.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.previous.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.previous.user.entity.id: - dashed_name: process-previous-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.previous.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.previous.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.previous.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.previous.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.previous.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.previous.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.previous.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.previous.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.previous.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.previous.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.previous.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.previous.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.previous.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.previous.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.previous.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.previous.user.full_name: - dashed_name: process-previous-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.previous.user.group.domain: - dashed_name: process-previous-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.previous.user.group.id: - dashed_name: process-previous-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.previous.user.group.name: - dashed_name: process-previous-user-group-name - description: Name of the group. - flat_name: process.previous.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.previous.user.hash: - dashed_name: process-previous-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.previous.user.id: - dashed_name: process-previous-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.previous.user.name: - dashed_name: process-previous-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.previous.user.risk.calculated_level: - dashed_name: process-previous-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.previous.user.risk.calculated_score: - dashed_name: process-previous-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.previous.user.risk.calculated_score_norm: - dashed_name: process-previous-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.previous.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.previous.user.risk.static_level: - dashed_name: process-previous-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.previous.user.risk.static_score: - dashed_name: process-previous-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.previous.user.risk.static_score_norm: - dashed_name: process-previous-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.previous.user.roles: - dashed_name: process-previous-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.previous.vpid: - dashed_name: process-previous-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.previous.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.previous.working_directory: - dashed_name: process-previous-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.previous.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.real_group.domain: - dashed_name: process-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.real_group.id: - dashed_name: process-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.real_group.name: - dashed_name: process-real-group-name - description: Name of the group. - flat_name: process.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.real_user.domain: - dashed_name: process-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.real_user.email: - dashed_name: process-real-user-email - description: User email address. - flat_name: process.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.real_user.entity.id: - dashed_name: process-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.real_user.full_name: - dashed_name: process-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.real_user.group.domain: - dashed_name: process-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.real_user.group.id: - dashed_name: process-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.real_user.group.name: - dashed_name: process-real-user-group-name - description: Name of the group. - flat_name: process.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.real_user.hash: - dashed_name: process-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.real_user.id: - dashed_name: process-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Unique identifier of the user. - type: keyword -process.real_user.name: - dashed_name: process-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Short name or login of the user. - type: keyword -process.real_user.risk.calculated_level: - dashed_name: process-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.real_user.risk.calculated_score: - dashed_name: process-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.real_user.risk.calculated_score_norm: - dashed_name: process-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.real_user.risk.static_level: - dashed_name: process-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.real_user.risk.static_score: - dashed_name: process-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.real_user.risk.static_score_norm: - dashed_name: process-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.real_user.roles: - dashed_name: process-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.responsible.args: - dashed_name: process-responsible-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.responsible.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.responsible.args_count: - dashed_name: process-responsible-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.responsible.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.responsible.attested_groups.domain: - dashed_name: process-responsible-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.attested_groups.id: - dashed_name: process-responsible-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.attested_groups.name: - dashed_name: process-responsible-attested-groups-name - description: Name of the group. - flat_name: process.responsible.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.attested_user.domain: - dashed_name: process-responsible-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.responsible.attested_user.email: - dashed_name: process-responsible-attested-user-email - description: User email address. - flat_name: process.responsible.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.responsible.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.responsible.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.responsible.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.responsible.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.responsible.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.responsible.attested_user.entity.id: - dashed_name: process-responsible-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.responsible.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.responsible.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.responsible.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.responsible.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.responsible.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.responsible.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.responsible.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.responsible.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.responsible.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.responsible.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.responsible.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.responsible.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.responsible.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.responsible.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.responsible.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.responsible.attested_user.full_name: - dashed_name: process-responsible-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.responsible.attested_user.group.domain: - dashed_name: process-responsible-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.attested_user.group.id: - dashed_name: process-responsible-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.attested_user.group.name: - dashed_name: process-responsible-attested-user-group-name - description: Name of the group. - flat_name: process.responsible.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.attested_user.hash: - dashed_name: process-responsible-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.responsible.attested_user.id: - dashed_name: process-responsible-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.responsible.attested_user.name: - dashed_name: process-responsible-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.responsible.attested_user.risk.calculated_level: - dashed_name: process-responsible-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.responsible.attested_user.risk.calculated_score: - dashed_name: process-responsible-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.responsible.attested_user.risk.calculated_score_norm: - dashed_name: process-responsible-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.responsible.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.responsible.attested_user.risk.static_level: - dashed_name: process-responsible-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.responsible.attested_user.risk.static_score: - dashed_name: process-responsible-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.responsible.attested_user.risk.static_score_norm: - dashed_name: process-responsible-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.responsible.attested_user.roles: - dashed_name: process-responsible-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.responsible.code_signature.digest_algorithm: - dashed_name: process-responsible-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.responsible.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.responsible.code_signature.exists: - dashed_name: process-responsible-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.responsible.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.responsible.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-responsible-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.responsible.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.responsible.code_signature.signing_id: - dashed_name: process-responsible-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.responsible.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.responsible.code_signature.status: - dashed_name: process-responsible-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.responsible.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.responsible.code_signature.subject_name: - dashed_name: process-responsible-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.responsible.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.responsible.code_signature.team_id: - dashed_name: process-responsible-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.responsible.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.responsible.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-responsible-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.responsible.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.responsible.code_signature.timestamp: - dashed_name: process-responsible-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.responsible.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.responsible.code_signature.trusted: - dashed_name: process-responsible-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.responsible.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.responsible.code_signature.valid: - dashed_name: process-responsible-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.responsible.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.responsible.command_line: - dashed_name: process-responsible-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.responsible.command_line - level: extended - multi_fields: - - flat_name: process.responsible.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.responsible.elf.architecture: - dashed_name: process-responsible-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.responsible.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.responsible.elf.byte_order: - dashed_name: process-responsible-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.responsible.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.responsible.elf.cpu_type: - dashed_name: process-responsible-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.responsible.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.responsible.elf.creation_date: - dashed_name: process-responsible-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.responsible.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.responsible.elf.exports: - dashed_name: process-responsible-elf-exports - description: List of exported element names and types. - flat_name: process.responsible.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.responsible.elf.go_import_hash: - dashed_name: process-responsible-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.responsible.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.responsible.elf.go_imports: - dashed_name: process-responsible-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.responsible.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.responsible.elf.go_imports_names_entropy: - dashed_name: process-responsible-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.responsible.elf.go_imports_names_var_entropy: - dashed_name: process-responsible-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.responsible.elf.go_stripped: - dashed_name: process-responsible-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.responsible.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.responsible.elf.header.abi_version: - dashed_name: process-responsible-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.responsible.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.responsible.elf.header.class: - dashed_name: process-responsible-elf-header-class - description: Header class of the ELF file. - flat_name: process.responsible.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.responsible.elf.header.data: - dashed_name: process-responsible-elf-header-data - description: Data table of the ELF header. - flat_name: process.responsible.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.responsible.elf.header.entrypoint: - dashed_name: process-responsible-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.responsible.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.responsible.elf.header.object_version: - dashed_name: process-responsible-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.responsible.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.responsible.elf.header.os_abi: - dashed_name: process-responsible-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.responsible.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.responsible.elf.header.type: - dashed_name: process-responsible-elf-header-type - description: Header type of the ELF file. - flat_name: process.responsible.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.responsible.elf.header.version: - dashed_name: process-responsible-elf-header-version - description: Version of the ELF header. - flat_name: process.responsible.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.responsible.elf.import_hash: - dashed_name: process-responsible-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.responsible.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.responsible.elf.imports: - dashed_name: process-responsible-elf-imports - description: List of imported element names and types. - flat_name: process.responsible.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.responsible.elf.imports_names_entropy: - dashed_name: process-responsible-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.responsible.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.responsible.elf.imports_names_var_entropy: - dashed_name: process-responsible-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.responsible.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.responsible.elf.sections: - dashed_name: process-responsible-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.responsible.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.responsible.elf.sections.chi2: - dashed_name: process-responsible-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.responsible.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.responsible.elf.sections.entropy: - dashed_name: process-responsible-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.responsible.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.responsible.elf.sections.flags: - dashed_name: process-responsible-elf-sections-flags - description: ELF Section List flags. - flat_name: process.responsible.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.responsible.elf.sections.name: - dashed_name: process-responsible-elf-sections-name - description: ELF Section List name. - flat_name: process.responsible.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.responsible.elf.sections.physical_offset: - dashed_name: process-responsible-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.responsible.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.responsible.elf.sections.physical_size: - dashed_name: process-responsible-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.responsible.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.responsible.elf.sections.type: - dashed_name: process-responsible-elf-sections-type - description: ELF Section List type. - flat_name: process.responsible.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.responsible.elf.sections.var_entropy: - dashed_name: process-responsible-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.responsible.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.responsible.elf.sections.virtual_address: - dashed_name: process-responsible-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.responsible.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.responsible.elf.sections.virtual_size: - dashed_name: process-responsible-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.responsible.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.responsible.elf.segments: - dashed_name: process-responsible-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.responsible.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.responsible.elf.segments.sections: - dashed_name: process-responsible-elf-segments-sections - description: ELF object segment sections. - flat_name: process.responsible.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.responsible.elf.segments.type: - dashed_name: process-responsible-elf-segments-type - description: ELF object segment type. - flat_name: process.responsible.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.responsible.elf.shared_libraries: - dashed_name: process-responsible-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.responsible.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.responsible.elf.telfhash: - dashed_name: process-responsible-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.responsible.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.responsible.end: - dashed_name: process-responsible-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.responsible.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.responsible.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-responsible-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.responsible.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.responsible.entity_id: - dashed_name: process-responsible-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.responsible.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.responsible.entry_meta.source.address: - dashed_name: process-responsible-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.responsible.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.responsible.entry_meta.source.as.number: - dashed_name: process-responsible-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.responsible.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.responsible.entry_meta.source.as.organization.name: - dashed_name: process-responsible-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.responsible.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.responsible.entry_meta.source.bytes: - dashed_name: process-responsible-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.responsible.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.responsible.entry_meta.source.domain: - dashed_name: process-responsible-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.responsible.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.responsible.entry_meta.source.geo.city_name: - dashed_name: process-responsible-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.responsible.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.responsible.entry_meta.source.geo.continent_code: - dashed_name: process-responsible-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.responsible.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.responsible.entry_meta.source.geo.continent_name: - dashed_name: process-responsible-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.responsible.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.responsible.entry_meta.source.geo.country_iso_code: - dashed_name: process-responsible-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.responsible.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.responsible.entry_meta.source.geo.country_name: - dashed_name: process-responsible-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.responsible.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.responsible.entry_meta.source.geo.location: - dashed_name: process-responsible-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.responsible.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.responsible.entry_meta.source.geo.name: - dashed_name: process-responsible-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.responsible.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.responsible.entry_meta.source.geo.postal_code: - dashed_name: process-responsible-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.responsible.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.responsible.entry_meta.source.geo.region_iso_code: - dashed_name: process-responsible-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.responsible.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.responsible.entry_meta.source.geo.region_name: - dashed_name: process-responsible-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.responsible.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.responsible.entry_meta.source.geo.timezone: - dashed_name: process-responsible-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.responsible.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.responsible.entry_meta.source.ip: - dashed_name: process-responsible-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.responsible.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.responsible.entry_meta.source.mac: - dashed_name: process-responsible-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.responsible.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.responsible.entry_meta.source.nat.ip: - dashed_name: process-responsible-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.responsible.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.responsible.entry_meta.source.nat.port: - dashed_name: process-responsible-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.responsible.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.responsible.entry_meta.source.packets: - dashed_name: process-responsible-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.responsible.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.responsible.entry_meta.source.port: - dashed_name: process-responsible-entry-meta-source-port - description: Port of the source. - flat_name: process.responsible.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.responsible.entry_meta.source.registered_domain: - dashed_name: process-responsible-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.responsible.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.responsible.entry_meta.source.subdomain: - dashed_name: process-responsible-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.responsible.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.responsible.entry_meta.source.top_level_domain: - dashed_name: process-responsible-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.responsible.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.responsible.entry_meta.type: - dashed_name: process-responsible-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.responsible.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.responsible.env_vars: - dashed_name: process-responsible-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.responsible.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.responsible.executable: - dashed_name: process-responsible-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.responsible.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.responsible.exit_code: - dashed_name: process-responsible-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.responsible.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.responsible.group.domain: - dashed_name: process-responsible-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.group.id: - dashed_name: process-responsible-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.group.name: - dashed_name: process-responsible-group-name - description: Name of the group. - flat_name: process.responsible.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-responsible-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.responsible.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.responsible.hash.md5: - dashed_name: process-responsible-hash-md5 - description: MD5 hash. - flat_name: process.responsible.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.responsible.hash.sha1: - dashed_name: process-responsible-hash-sha1 - description: SHA1 hash. - flat_name: process.responsible.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.responsible.hash.sha256: - dashed_name: process-responsible-hash-sha256 - description: SHA256 hash. - flat_name: process.responsible.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.responsible.hash.sha384: - dashed_name: process-responsible-hash-sha384 - description: SHA384 hash. - flat_name: process.responsible.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.responsible.hash.sha512: - dashed_name: process-responsible-hash-sha512 - description: SHA512 hash. - flat_name: process.responsible.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.responsible.hash.ssdeep: - dashed_name: process-responsible-hash-ssdeep - description: SSDEEP hash. - flat_name: process.responsible.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.responsible.hash.tlsh: - dashed_name: process-responsible-hash-tlsh - description: TLSH hash. - flat_name: process.responsible.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.responsible.interactive: - dashed_name: process-responsible-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.responsible.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.responsible.io: - dashed_name: process-responsible-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.responsible.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.responsible.io.bytes_skipped: - dashed_name: process-responsible-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.responsible.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.responsible.io.bytes_skipped.length: - dashed_name: process-responsible-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.responsible.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.responsible.io.bytes_skipped.offset: - dashed_name: process-responsible-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.responsible.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.responsible.io.max_bytes_per_process_exceeded: - dashed_name: process-responsible-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.responsible.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.responsible.io.text: - dashed_name: process-responsible-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.responsible.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.responsible.io.total_bytes_captured: - dashed_name: process-responsible-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.responsible.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.responsible.io.total_bytes_skipped: - dashed_name: process-responsible-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.responsible.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.responsible.io.type: - dashed_name: process-responsible-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.responsible.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.responsible.macho.go_import_hash: - dashed_name: process-responsible-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.responsible.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.responsible.macho.go_imports: - dashed_name: process-responsible-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.responsible.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.responsible.macho.go_imports_names_entropy: - dashed_name: process-responsible-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.responsible.macho.go_imports_names_var_entropy: - dashed_name: process-responsible-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.responsible.macho.go_stripped: - dashed_name: process-responsible-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.responsible.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.responsible.macho.import_hash: - dashed_name: process-responsible-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.responsible.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.responsible.macho.imports: - dashed_name: process-responsible-macho-imports - description: List of imported element names and types. - flat_name: process.responsible.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.responsible.macho.imports_names_entropy: - dashed_name: process-responsible-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.responsible.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.responsible.macho.imports_names_var_entropy: - dashed_name: process-responsible-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.responsible.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.responsible.macho.sections: - dashed_name: process-responsible-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.responsible.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.responsible.macho.sections.entropy: - dashed_name: process-responsible-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.responsible.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.responsible.macho.sections.name: - dashed_name: process-responsible-macho-sections-name - description: Mach-O Section List name. - flat_name: process.responsible.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.responsible.macho.sections.physical_size: - dashed_name: process-responsible-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.responsible.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.responsible.macho.sections.var_entropy: - dashed_name: process-responsible-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.responsible.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.responsible.macho.sections.virtual_size: - dashed_name: process-responsible-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.responsible.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.responsible.macho.symhash: - dashed_name: process-responsible-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.responsible.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.responsible.name: - dashed_name: process-responsible-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.responsible.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.responsible.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-responsible-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.responsible.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.responsible.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-responsible-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.responsible.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.responsible.pe.architecture: - dashed_name: process-responsible-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.responsible.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.responsible.pe.company: - dashed_name: process-responsible-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.responsible.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.responsible.pe.description: - dashed_name: process-responsible-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.responsible.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.responsible.pe.file_version: - dashed_name: process-responsible-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.responsible.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.responsible.pe.go_import_hash: - dashed_name: process-responsible-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.responsible.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.responsible.pe.go_imports: - dashed_name: process-responsible-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.responsible.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.responsible.pe.go_imports_names_entropy: - dashed_name: process-responsible-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.responsible.pe.go_imports_names_var_entropy: - dashed_name: process-responsible-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.responsible.pe.go_stripped: - dashed_name: process-responsible-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.responsible.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.responsible.pe.imphash: - dashed_name: process-responsible-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.responsible.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.responsible.pe.import_hash: - dashed_name: process-responsible-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.responsible.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.responsible.pe.imports: - dashed_name: process-responsible-pe-imports - description: List of imported element names and types. - flat_name: process.responsible.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.responsible.pe.imports_names_entropy: - dashed_name: process-responsible-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.responsible.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.responsible.pe.imports_names_var_entropy: - dashed_name: process-responsible-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.responsible.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.responsible.pe.original_file_name: - dashed_name: process-responsible-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.responsible.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.responsible.pe.pehash: - dashed_name: process-responsible-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.responsible.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.responsible.pe.product: - dashed_name: process-responsible-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.responsible.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.responsible.pe.sections: - dashed_name: process-responsible-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.responsible.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.responsible.pe.sections.entropy: - dashed_name: process-responsible-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.responsible.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.responsible.pe.sections.name: - dashed_name: process-responsible-pe-sections-name - description: PE Section List name. - flat_name: process.responsible.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.responsible.pe.sections.physical_size: - dashed_name: process-responsible-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.responsible.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.responsible.pe.sections.var_entropy: - dashed_name: process-responsible-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.responsible.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.responsible.pe.sections.virtual_size: - dashed_name: process-responsible-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.responsible.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.responsible.pid: - dashed_name: process-responsible-pid - description: Process id. - example: 4242 - flat_name: process.responsible.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.responsible.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-responsible-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.responsible.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.responsible.real_group.domain: - dashed_name: process-responsible-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.real_group.id: - dashed_name: process-responsible-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.real_group.name: - dashed_name: process-responsible-real-group-name - description: Name of the group. - flat_name: process.responsible.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.real_user.domain: - dashed_name: process-responsible-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.responsible.real_user.email: - dashed_name: process-responsible-real-user-email - description: User email address. - flat_name: process.responsible.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.responsible.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.responsible.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.responsible.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.responsible.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.responsible.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.responsible.real_user.entity.id: - dashed_name: process-responsible-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.responsible.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.responsible.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.responsible.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.responsible.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.responsible.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.responsible.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.responsible.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.responsible.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.responsible.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.responsible.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.responsible.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.responsible.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.responsible.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.responsible.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.responsible.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.responsible.real_user.full_name: - dashed_name: process-responsible-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.responsible.real_user.group.domain: - dashed_name: process-responsible-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.real_user.group.id: - dashed_name: process-responsible-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.real_user.group.name: - dashed_name: process-responsible-real-user-group-name - description: Name of the group. - flat_name: process.responsible.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.real_user.hash: - dashed_name: process-responsible-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.responsible.real_user.id: - dashed_name: process-responsible-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.responsible.real_user.name: - dashed_name: process-responsible-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.responsible.real_user.risk.calculated_level: - dashed_name: process-responsible-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.responsible.real_user.risk.calculated_score: - dashed_name: process-responsible-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.responsible.real_user.risk.calculated_score_norm: - dashed_name: process-responsible-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.responsible.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.responsible.real_user.risk.static_level: - dashed_name: process-responsible-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.responsible.real_user.risk.static_score: - dashed_name: process-responsible-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.responsible.real_user.risk.static_score_norm: - dashed_name: process-responsible-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.responsible.real_user.roles: - dashed_name: process-responsible-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.responsible.same_as_process: - dashed_name: process-responsible-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.responsible.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.responsible.saved_group.domain: - dashed_name: process-responsible-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.saved_group.id: - dashed_name: process-responsible-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.saved_group.name: - dashed_name: process-responsible-saved-group-name - description: Name of the group. - flat_name: process.responsible.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.saved_user.domain: - dashed_name: process-responsible-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.responsible.saved_user.email: - dashed_name: process-responsible-saved-user-email - description: User email address. - flat_name: process.responsible.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.responsible.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.responsible.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.responsible.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.responsible.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.responsible.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.responsible.saved_user.entity.id: - dashed_name: process-responsible-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.responsible.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.responsible.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.responsible.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.responsible.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.responsible.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.responsible.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.responsible.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.responsible.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.responsible.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.responsible.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.responsible.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.responsible.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.responsible.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.responsible.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.responsible.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.responsible.saved_user.full_name: - dashed_name: process-responsible-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.responsible.saved_user.group.domain: - dashed_name: process-responsible-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.saved_user.group.id: - dashed_name: process-responsible-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.saved_user.group.name: - dashed_name: process-responsible-saved-user-group-name - description: Name of the group. - flat_name: process.responsible.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.saved_user.hash: - dashed_name: process-responsible-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.responsible.saved_user.id: - dashed_name: process-responsible-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.responsible.saved_user.name: - dashed_name: process-responsible-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.responsible.saved_user.risk.calculated_level: - dashed_name: process-responsible-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.responsible.saved_user.risk.calculated_score: - dashed_name: process-responsible-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.responsible.saved_user.risk.calculated_score_norm: - dashed_name: process-responsible-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.responsible.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.responsible.saved_user.risk.static_level: - dashed_name: process-responsible-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.responsible.saved_user.risk.static_score: - dashed_name: process-responsible-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.responsible.saved_user.risk.static_score_norm: - dashed_name: process-responsible-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.responsible.saved_user.roles: - dashed_name: process-responsible-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.responsible.start: - dashed_name: process-responsible-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.responsible.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.responsible.supplemental_groups.domain: - dashed_name: process-responsible-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.supplemental_groups.id: - dashed_name: process-responsible-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.supplemental_groups.name: - dashed_name: process-responsible-supplemental-groups-name - description: Name of the group. - flat_name: process.responsible.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.thread.capabilities.effective: - dashed_name: process-responsible-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.responsible.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.responsible.thread.capabilities.permitted: - dashed_name: process-responsible-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.responsible.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.responsible.thread.id: - dashed_name: process-responsible-thread-id - description: Thread ID. - example: 4242 - flat_name: process.responsible.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.responsible.thread.name: - dashed_name: process-responsible-thread-name - description: Thread name. - example: thread-0 - flat_name: process.responsible.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.responsible.title: - dashed_name: process-responsible-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.responsible.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.responsible.tty: - dashed_name: process-responsible-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.responsible.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.responsible.tty.char_device.major: - dashed_name: process-responsible-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.responsible.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.responsible.tty.char_device.minor: - dashed_name: process-responsible-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.responsible.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.responsible.tty.columns: - dashed_name: process-responsible-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.responsible.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.responsible.tty.rows: - dashed_name: process-responsible-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.responsible.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.responsible.uptime: - dashed_name: process-responsible-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.responsible.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.responsible.user.domain: - dashed_name: process-responsible-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.responsible.user.email: - dashed_name: process-responsible-user-email - description: User email address. - flat_name: process.responsible.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.responsible.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.responsible.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.responsible.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.responsible.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.responsible.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.responsible.user.entity.id: - dashed_name: process-responsible-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.responsible.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.responsible.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.responsible.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.responsible.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.responsible.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.responsible.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.responsible.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.responsible.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.responsible.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.responsible.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.responsible.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.responsible.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.responsible.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.responsible.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.responsible.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.responsible.user.full_name: - dashed_name: process-responsible-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.responsible.user.group.domain: - dashed_name: process-responsible-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.responsible.user.group.id: - dashed_name: process-responsible-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.responsible.user.group.name: - dashed_name: process-responsible-user-group-name - description: Name of the group. - flat_name: process.responsible.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.responsible.user.hash: - dashed_name: process-responsible-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.responsible.user.id: - dashed_name: process-responsible-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.responsible.user.name: - dashed_name: process-responsible-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.responsible.user.risk.calculated_level: - dashed_name: process-responsible-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.responsible.user.risk.calculated_score: - dashed_name: process-responsible-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.responsible.user.risk.calculated_score_norm: - dashed_name: process-responsible-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.responsible.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.responsible.user.risk.static_level: - dashed_name: process-responsible-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.responsible.user.risk.static_score: - dashed_name: process-responsible-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.responsible.user.risk.static_score_norm: - dashed_name: process-responsible-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.responsible.user.roles: - dashed_name: process-responsible-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.responsible.vpid: - dashed_name: process-responsible-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.responsible.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.responsible.working_directory: - dashed_name: process-responsible-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.responsible.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword -process.same_as_process: - dashed_name: process-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.same_as_process - level: extended - name: same_as_process - normalize: [] - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.saved_group.domain: - dashed_name: process-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.saved_group.id: - dashed_name: process-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.saved_group.name: - dashed_name: process-saved-group-name - description: Name of the group. - flat_name: process.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.saved_user.domain: - dashed_name: process-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.saved_user.email: - dashed_name: process-saved-user-email - description: User email address. - flat_name: process.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.saved_user.entity.id: - dashed_name: process-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.saved_user.full_name: - dashed_name: process-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.saved_user.group.domain: - dashed_name: process-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.saved_user.group.id: - dashed_name: process-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.saved_user.group.name: - dashed_name: process-saved-user-group-name - description: Name of the group. - flat_name: process.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.saved_user.hash: - dashed_name: process-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.saved_user.id: - dashed_name: process-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Unique identifier of the user. - type: keyword -process.saved_user.name: - dashed_name: process-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Short name or login of the user. - type: keyword -process.saved_user.risk.calculated_level: - dashed_name: process-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.saved_user.risk.calculated_score: - dashed_name: process-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.saved_user.risk.calculated_score_norm: - dashed_name: process-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.saved_user.risk.static_level: - dashed_name: process-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.saved_user.risk.static_score: - dashed_name: process-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.saved_user.risk.static_score_norm: - dashed_name: process-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.saved_user.roles: - dashed_name: process-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.args: - dashed_name: process-session-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.session_leader.args_count: - dashed_name: process-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.session_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.session_leader.attested_groups.domain: - dashed_name: process-session-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.attested_groups.id: - dashed_name: process-session-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.attested_groups.name: - dashed_name: process-session-leader-attested-groups-name - description: Name of the group. - flat_name: process.session_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.attested_user.domain: - dashed_name: process-session-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.attested_user.email: - dashed_name: process-session-leader-attested-user-email - description: User email address. - flat_name: process.session_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.attested_user.entity.id: - dashed_name: process-session-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.attested_user.full_name: - dashed_name: process-session-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.attested_user.group.domain: - dashed_name: process-session-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.attested_user.group.id: - dashed_name: process-session-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.attested_user.group.name: - dashed_name: process-session-leader-attested-user-group-name - description: Name of the group. - flat_name: process.session_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.attested_user.hash: - dashed_name: process-session-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.attested_user.id: - dashed_name: process-session-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.attested_user.name: - dashed_name: process-session-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.attested_user.risk.calculated_level: - dashed_name: process-session-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.attested_user.risk.calculated_score: - dashed_name: process-session-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-session-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.attested_user.risk.static_level: - dashed_name: process-session-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.attested_user.risk.static_score: - dashed_name: process-session-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.attested_user.risk.static_score_norm: - dashed_name: process-session-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.attested_user.roles: - dashed_name: process-session-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.code_signature.digest_algorithm: - dashed_name: process-session-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.session_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.session_leader.code_signature.exists: - dashed_name: process-session-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.session_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.session_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.session_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.session_leader.code_signature.signing_id: - dashed_name: process-session-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.session_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.session_leader.code_signature.status: - dashed_name: process-session-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.session_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.session_leader.code_signature.subject_name: - dashed_name: process-session-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.session_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.session_leader.code_signature.team_id: - dashed_name: process-session-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.session_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.session_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.session_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.session_leader.code_signature.timestamp: - dashed_name: process-session-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.session_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.session_leader.code_signature.trusted: - dashed_name: process-session-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.session_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.session_leader.code_signature.valid: - dashed_name: process-session-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.session_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.session_leader.command_line: - dashed_name: process-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.command_line - level: extended - multi_fields: - - flat_name: process.session_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.session_leader.elf.architecture: - dashed_name: process-session-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.session_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.session_leader.elf.byte_order: - dashed_name: process-session-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.session_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.session_leader.elf.cpu_type: - dashed_name: process-session-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.session_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.session_leader.elf.creation_date: - dashed_name: process-session-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.session_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.session_leader.elf.exports: - dashed_name: process-session-leader-elf-exports - description: List of exported element names and types. - flat_name: process.session_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.session_leader.elf.go_import_hash: - dashed_name: process-session-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.session_leader.elf.go_imports: - dashed_name: process-session-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.session_leader.elf.go_imports_names_entropy: - dashed_name: process-session-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.elf.go_imports_names_var_entropy: - dashed_name: process-session-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.elf.go_stripped: - dashed_name: process-session-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.elf.header.abi_version: - dashed_name: process-session-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.session_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.session_leader.elf.header.class: - dashed_name: process-session-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.session_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.session_leader.elf.header.data: - dashed_name: process-session-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.session_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.session_leader.elf.header.entrypoint: - dashed_name: process-session-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.session_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.session_leader.elf.header.object_version: - dashed_name: process-session-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.session_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.session_leader.elf.header.os_abi: - dashed_name: process-session-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.session_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.session_leader.elf.header.type: - dashed_name: process-session-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.session_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.session_leader.elf.header.version: - dashed_name: process-session-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.session_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.session_leader.elf.import_hash: - dashed_name: process-session-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.session_leader.elf.imports: - dashed_name: process-session-leader-elf-imports - description: List of imported element names and types. - flat_name: process.session_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.session_leader.elf.imports_names_entropy: - dashed_name: process-session-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.elf.imports_names_var_entropy: - dashed_name: process-session-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.elf.sections: - dashed_name: process-session-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.session_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.session_leader.elf.sections.chi2: - dashed_name: process-session-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.session_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.session_leader.elf.sections.entropy: - dashed_name: process-session-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.session_leader.elf.sections.flags: - dashed_name: process-session-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.session_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.session_leader.elf.sections.name: - dashed_name: process-session-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.session_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.session_leader.elf.sections.physical_offset: - dashed_name: process-session-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.session_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.session_leader.elf.sections.physical_size: - dashed_name: process-session-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.session_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.session_leader.elf.sections.type: - dashed_name: process-session-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.session_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.session_leader.elf.sections.var_entropy: - dashed_name: process-session-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.elf.sections.virtual_address: - dashed_name: process-session-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.session_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.session_leader.elf.sections.virtual_size: - dashed_name: process-session-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.session_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.session_leader.elf.segments: - dashed_name: process-session-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.session_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.session_leader.elf.segments.sections: - dashed_name: process-session-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.session_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.session_leader.elf.segments.type: - dashed_name: process-session-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.session_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.session_leader.elf.shared_libraries: - dashed_name: process-session-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.session_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.session_leader.elf.telfhash: - dashed_name: process-session-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.session_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.session_leader.end: - dashed_name: process-session-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.session_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.session_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.session_leader.entity_id: - dashed_name: process-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.session_leader.entry_meta.source.address: - dashed_name: process-session-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.session_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.session_leader.entry_meta.source.as.number: - dashed_name: process-session-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.session_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.session_leader.entry_meta.source.as.organization.name: - dashed_name: process-session-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.session_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.session_leader.entry_meta.source.bytes: - dashed_name: process-session-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.session_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.session_leader.entry_meta.source.domain: - dashed_name: process-session-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.session_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.session_leader.entry_meta.source.geo.city_name: - dashed_name: process-session-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.session_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.session_leader.entry_meta.source.geo.continent_code: - dashed_name: process-session-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.session_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.session_leader.entry_meta.source.geo.continent_name: - dashed_name: process-session-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.session_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.session_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.session_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.session_leader.entry_meta.source.geo.country_name: - dashed_name: process-session-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.session_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.session_leader.entry_meta.source.geo.location: - dashed_name: process-session-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.session_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.session_leader.entry_meta.source.geo.name: - dashed_name: process-session-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.session_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.session_leader.entry_meta.source.geo.postal_code: - dashed_name: process-session-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.session_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.session_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.session_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.session_leader.entry_meta.source.geo.region_name: - dashed_name: process-session-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.session_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.session_leader.entry_meta.source.geo.timezone: - dashed_name: process-session-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.session_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.session_leader.entry_meta.source.ip: - dashed_name: process-session-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.session_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.session_leader.entry_meta.source.mac: - dashed_name: process-session-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.session_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.session_leader.entry_meta.source.nat.ip: - dashed_name: process-session-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.session_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.session_leader.entry_meta.source.nat.port: - dashed_name: process-session-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.session_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.session_leader.entry_meta.source.packets: - dashed_name: process-session-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.session_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.session_leader.entry_meta.source.port: - dashed_name: process-session-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.session_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.session_leader.entry_meta.source.registered_domain: - dashed_name: process-session-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.session_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.session_leader.entry_meta.source.subdomain: - dashed_name: process-session-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.session_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.session_leader.entry_meta.source.top_level_domain: - dashed_name: process-session-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.session_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.session_leader.entry_meta.type: - dashed_name: process-session-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.session_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.session_leader.env_vars: - dashed_name: process-session-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.session_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.session_leader.executable: - dashed_name: process-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.session_leader.exit_code: - dashed_name: process-session-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.session_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.session_leader.group.domain: - dashed_name: process-session-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.group.id: - dashed_name: process-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.group.name: - dashed_name: process-session-leader-group-name - description: Name of the group. - flat_name: process.session_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.session_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.session_leader.hash.md5: - dashed_name: process-session-leader-hash-md5 - description: MD5 hash. - flat_name: process.session_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.session_leader.hash.sha1: - dashed_name: process-session-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.session_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.session_leader.hash.sha256: - dashed_name: process-session-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.session_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.session_leader.hash.sha384: - dashed_name: process-session-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.session_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.session_leader.hash.sha512: - dashed_name: process-session-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.session_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.session_leader.hash.ssdeep: - dashed_name: process-session-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.session_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.session_leader.hash.tlsh: - dashed_name: process-session-leader-hash-tlsh - description: TLSH hash. - flat_name: process.session_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.session_leader.interactive: - dashed_name: process-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.session_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.session_leader.io: - dashed_name: process-session-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.session_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.session_leader.io.bytes_skipped: - dashed_name: process-session-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.session_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.session_leader.io.bytes_skipped.length: - dashed_name: process-session-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.session_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.session_leader.io.bytes_skipped.offset: - dashed_name: process-session-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.session_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.session_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-session-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.session_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.session_leader.io.text: - dashed_name: process-session-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.session_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.session_leader.io.total_bytes_captured: - dashed_name: process-session-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.session_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.session_leader.io.total_bytes_skipped: - dashed_name: process-session-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.session_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.session_leader.io.type: - dashed_name: process-session-leader-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.session_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.session_leader.macho.go_import_hash: - dashed_name: process-session-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.session_leader.macho.go_imports: - dashed_name: process-session-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.session_leader.macho.go_imports_names_entropy: - dashed_name: process-session-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.macho.go_imports_names_var_entropy: - dashed_name: process-session-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.macho.go_stripped: - dashed_name: process-session-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.macho.import_hash: - dashed_name: process-session-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.session_leader.macho.imports: - dashed_name: process-session-leader-macho-imports - description: List of imported element names and types. - flat_name: process.session_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.session_leader.macho.imports_names_entropy: - dashed_name: process-session-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.macho.imports_names_var_entropy: - dashed_name: process-session-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.macho.sections: - dashed_name: process-session-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.session_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.session_leader.macho.sections.entropy: - dashed_name: process-session-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.session_leader.macho.sections.name: - dashed_name: process-session-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.session_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.session_leader.macho.sections.physical_size: - dashed_name: process-session-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.session_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.session_leader.macho.sections.var_entropy: - dashed_name: process-session-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.macho.sections.virtual_size: - dashed_name: process-session-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.session_leader.macho.symhash: - dashed_name: process-session-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.session_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.session_leader.name: - dashed_name: process-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.session_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.session_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.session_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.session_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.session_leader.parent.args: - dashed_name: process-session-leader-parent-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.parent.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.session_leader.parent.args_count: - dashed_name: process-session-leader-parent-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.session_leader.parent.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.session_leader.parent.attested_groups.domain: - dashed_name: process-session-leader-parent-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.attested_groups.id: - dashed_name: process-session-leader-parent-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.attested_groups.name: - dashed_name: process-session-leader-parent-attested-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.attested_user.domain: - dashed_name: process-session-leader-parent-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.attested_user.email: - dashed_name: process-session-leader-parent-attested-user-email - description: User email address. - flat_name: process.session_leader.parent.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.attested_user.entity.id: - dashed_name: process-session-leader-parent-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.attested_user.full_name: - dashed_name: process-session-leader-parent-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.attested_user.group.domain: - dashed_name: process-session-leader-parent-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.attested_user.group.id: - dashed_name: process-session-leader-parent-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.attested_user.group.name: - dashed_name: process-session-leader-parent-attested-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.attested_user.hash: - dashed_name: process-session-leader-parent-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.attested_user.id: - dashed_name: process-session-leader-parent-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.parent.attested_user.name: - dashed_name: process-session-leader-parent-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.parent.attested_user.risk.calculated_level: - dashed_name: process-session-leader-parent-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.attested_user.risk.calculated_score: - dashed_name: process-session-leader-parent-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.attested_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.attested_user.risk.static_level: - dashed_name: process-session-leader-parent-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.attested_user.risk.static_score: - dashed_name: process-session-leader-parent-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.attested_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.attested_user.roles: - dashed_name: process-session-leader-parent-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.code_signature.digest_algorithm: - dashed_name: process-session-leader-parent-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.session_leader.parent.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.session_leader.parent.code_signature.exists: - dashed_name: process-session-leader-parent-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.session_leader.parent.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.session_leader.parent.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.session_leader.parent.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.session_leader.parent.code_signature.signing_id: - dashed_name: process-session-leader-parent-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.session_leader.parent.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.session_leader.parent.code_signature.status: - dashed_name: process-session-leader-parent-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.session_leader.parent.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.session_leader.parent.code_signature.subject_name: - dashed_name: process-session-leader-parent-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.session_leader.parent.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.session_leader.parent.code_signature.team_id: - dashed_name: process-session-leader-parent-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.session_leader.parent.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.session_leader.parent.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.session_leader.parent.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.session_leader.parent.code_signature.timestamp: - dashed_name: process-session-leader-parent-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.session_leader.parent.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.session_leader.parent.code_signature.trusted: - dashed_name: process-session-leader-parent-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.session_leader.parent.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.session_leader.parent.code_signature.valid: - dashed_name: process-session-leader-parent-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.session_leader.parent.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.session_leader.parent.command_line: - dashed_name: process-session-leader-parent-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.parent.command_line - level: extended - multi_fields: - - flat_name: process.session_leader.parent.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.session_leader.parent.elf.architecture: - dashed_name: process-session-leader-parent-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.session_leader.parent.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.session_leader.parent.elf.byte_order: - dashed_name: process-session-leader-parent-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.session_leader.parent.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.session_leader.parent.elf.cpu_type: - dashed_name: process-session-leader-parent-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.session_leader.parent.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.session_leader.parent.elf.creation_date: - dashed_name: process-session-leader-parent-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.session_leader.parent.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.session_leader.parent.elf.exports: - dashed_name: process-session-leader-parent-elf-exports - description: List of exported element names and types. - flat_name: process.session_leader.parent.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.session_leader.parent.elf.go_import_hash: - dashed_name: process-session-leader-parent-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.session_leader.parent.elf.go_imports: - dashed_name: process-session-leader-parent-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.session_leader.parent.elf.go_imports_names_entropy: - dashed_name: process-session-leader-parent-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.elf.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.elf.go_stripped: - dashed_name: process-session-leader-parent-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.parent.elf.header.abi_version: - dashed_name: process-session-leader-parent-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.session_leader.parent.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.session_leader.parent.elf.header.class: - dashed_name: process-session-leader-parent-elf-header-class - description: Header class of the ELF file. - flat_name: process.session_leader.parent.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.session_leader.parent.elf.header.data: - dashed_name: process-session-leader-parent-elf-header-data - description: Data table of the ELF header. - flat_name: process.session_leader.parent.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.session_leader.parent.elf.header.entrypoint: - dashed_name: process-session-leader-parent-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.session_leader.parent.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.session_leader.parent.elf.header.object_version: - dashed_name: process-session-leader-parent-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.session_leader.parent.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.session_leader.parent.elf.header.os_abi: - dashed_name: process-session-leader-parent-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.session_leader.parent.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.session_leader.parent.elf.header.type: - dashed_name: process-session-leader-parent-elf-header-type - description: Header type of the ELF file. - flat_name: process.session_leader.parent.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.session_leader.parent.elf.header.version: - dashed_name: process-session-leader-parent-elf-header-version - description: Version of the ELF header. - flat_name: process.session_leader.parent.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.session_leader.parent.elf.import_hash: - dashed_name: process-session-leader-parent-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.session_leader.parent.elf.imports: - dashed_name: process-session-leader-parent-elf-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.session_leader.parent.elf.imports_names_entropy: - dashed_name: process-session-leader-parent-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.parent.elf.imports_names_var_entropy: - dashed_name: process-session-leader-parent-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.parent.elf.sections: - dashed_name: process-session-leader-parent-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.session_leader.parent.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.session_leader.parent.elf.sections.chi2: - dashed_name: process-session-leader-parent-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.session_leader.parent.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.session_leader.parent.elf.sections.entropy: - dashed_name: process-session-leader-parent-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.session_leader.parent.elf.sections.flags: - dashed_name: process-session-leader-parent-elf-sections-flags - description: ELF Section List flags. - flat_name: process.session_leader.parent.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.session_leader.parent.elf.sections.name: - dashed_name: process-session-leader-parent-elf-sections-name - description: ELF Section List name. - flat_name: process.session_leader.parent.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.session_leader.parent.elf.sections.physical_offset: - dashed_name: process-session-leader-parent-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.session_leader.parent.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.session_leader.parent.elf.sections.physical_size: - dashed_name: process-session-leader-parent-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.session_leader.parent.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.session_leader.parent.elf.sections.type: - dashed_name: process-session-leader-parent-elf-sections-type - description: ELF Section List type. - flat_name: process.session_leader.parent.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.session_leader.parent.elf.sections.var_entropy: - dashed_name: process-session-leader-parent-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.parent.elf.sections.virtual_address: - dashed_name: process-session-leader-parent-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.session_leader.parent.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.session_leader.parent.elf.sections.virtual_size: - dashed_name: process-session-leader-parent-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.session_leader.parent.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.session_leader.parent.elf.segments: - dashed_name: process-session-leader-parent-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.session_leader.parent.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.session_leader.parent.elf.segments.sections: - dashed_name: process-session-leader-parent-elf-segments-sections - description: ELF object segment sections. - flat_name: process.session_leader.parent.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.session_leader.parent.elf.segments.type: - dashed_name: process-session-leader-parent-elf-segments-type - description: ELF object segment type. - flat_name: process.session_leader.parent.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.session_leader.parent.elf.shared_libraries: - dashed_name: process-session-leader-parent-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.session_leader.parent.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.session_leader.parent.elf.telfhash: - dashed_name: process-session-leader-parent-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.session_leader.parent.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.session_leader.parent.end: - dashed_name: process-session-leader-parent-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.session_leader.parent.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.session_leader.parent.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.session_leader.parent.entity_id: - dashed_name: process-session-leader-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.session_leader.parent.entry_meta.source.address: - dashed_name: process-session-leader-parent-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.session_leader.parent.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.session_leader.parent.entry_meta.source.as.number: - dashed_name: process-session-leader-parent-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.session_leader.parent.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.session_leader.parent.entry_meta.source.as.organization.name: - dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.session_leader.parent.entry_meta.source.bytes: - dashed_name: process-session-leader-parent-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.session_leader.parent.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.session_leader.parent.entry_meta.source.domain: - dashed_name: process-session-leader-parent-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.session_leader.parent.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.session_leader.parent.entry_meta.source.geo.city_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.session_leader.parent.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.session_leader.parent.entry_meta.source.geo.continent_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.session_leader.parent.entry_meta.source.geo.continent_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.session_leader.parent.entry_meta.source.geo.country_iso_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.session_leader.parent.entry_meta.source.geo.country_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.session_leader.parent.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.session_leader.parent.entry_meta.source.geo.location: - dashed_name: process-session-leader-parent-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.session_leader.parent.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.session_leader.parent.entry_meta.source.geo.name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.session_leader.parent.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.session_leader.parent.entry_meta.source.geo.postal_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.session_leader.parent.entry_meta.source.geo.region_iso_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.session_leader.parent.entry_meta.source.geo.region_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.session_leader.parent.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.session_leader.parent.entry_meta.source.geo.timezone: - dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.session_leader.parent.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.session_leader.parent.entry_meta.source.ip: - dashed_name: process-session-leader-parent-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.session_leader.parent.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.session_leader.parent.entry_meta.source.mac: - dashed_name: process-session-leader-parent-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.session_leader.parent.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.session_leader.parent.entry_meta.source.nat.ip: - dashed_name: process-session-leader-parent-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.session_leader.parent.entry_meta.source.nat.port: - dashed_name: process-session-leader-parent-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.session_leader.parent.entry_meta.source.packets: - dashed_name: process-session-leader-parent-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.session_leader.parent.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.session_leader.parent.entry_meta.source.port: - dashed_name: process-session-leader-parent-entry-meta-source-port - description: Port of the source. - flat_name: process.session_leader.parent.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.session_leader.parent.entry_meta.source.registered_domain: - dashed_name: process-session-leader-parent-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.session_leader.parent.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.session_leader.parent.entry_meta.source.subdomain: - dashed_name: process-session-leader-parent-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.session_leader.parent.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.session_leader.parent.entry_meta.source.top_level_domain: - dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.session_leader.parent.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.session_leader.parent.entry_meta.type: - dashed_name: process-session-leader-parent-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.session_leader.parent.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.session_leader.parent.env_vars: - dashed_name: process-session-leader-parent-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.session_leader.parent.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.executable: - dashed_name: process-session-leader-parent-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.parent.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.session_leader.parent.exit_code: - dashed_name: process-session-leader-parent-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.session_leader.parent.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.session_leader.parent.group.domain: - dashed_name: process-session-leader-parent-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.group.id: - dashed_name: process-session-leader-parent-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.group.name: - dashed_name: process-session-leader-parent-group-name - description: Name of the group. - flat_name: process.session_leader.parent.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.session_leader.parent.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.session_leader.parent.hash.md5: - dashed_name: process-session-leader-parent-hash-md5 - description: MD5 hash. - flat_name: process.session_leader.parent.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.session_leader.parent.hash.sha1: - dashed_name: process-session-leader-parent-hash-sha1 - description: SHA1 hash. - flat_name: process.session_leader.parent.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.session_leader.parent.hash.sha256: - dashed_name: process-session-leader-parent-hash-sha256 - description: SHA256 hash. - flat_name: process.session_leader.parent.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.session_leader.parent.hash.sha384: - dashed_name: process-session-leader-parent-hash-sha384 - description: SHA384 hash. - flat_name: process.session_leader.parent.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.session_leader.parent.hash.sha512: - dashed_name: process-session-leader-parent-hash-sha512 - description: SHA512 hash. - flat_name: process.session_leader.parent.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.session_leader.parent.hash.ssdeep: - dashed_name: process-session-leader-parent-hash-ssdeep - description: SSDEEP hash. - flat_name: process.session_leader.parent.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.session_leader.parent.hash.tlsh: - dashed_name: process-session-leader-parent-hash-tlsh - description: TLSH hash. - flat_name: process.session_leader.parent.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.session_leader.parent.interactive: - dashed_name: process-session-leader-parent-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.session_leader.parent.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.session_leader.parent.io: - dashed_name: process-session-leader-parent-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.session_leader.parent.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.session_leader.parent.io.bytes_skipped: - dashed_name: process-session-leader-parent-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.session_leader.parent.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.session_leader.parent.io.bytes_skipped.length: - dashed_name: process-session-leader-parent-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.session_leader.parent.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.session_leader.parent.io.bytes_skipped.offset: - dashed_name: process-session-leader-parent-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.session_leader.parent.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.session_leader.parent.io.max_bytes_per_process_exceeded: - dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.session_leader.parent.io.text: - dashed_name: process-session-leader-parent-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.session_leader.parent.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.session_leader.parent.io.total_bytes_captured: - dashed_name: process-session-leader-parent-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.session_leader.parent.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.session_leader.parent.io.total_bytes_skipped: - dashed_name: process-session-leader-parent-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.session_leader.parent.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.session_leader.parent.io.type: - dashed_name: process-session-leader-parent-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.session_leader.parent.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.session_leader.parent.macho.go_import_hash: - dashed_name: process-session-leader-parent-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.session_leader.parent.macho.go_imports: - dashed_name: process-session-leader-parent-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.session_leader.parent.macho.go_imports_names_entropy: - dashed_name: process-session-leader-parent-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.macho.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.macho.go_stripped: - dashed_name: process-session-leader-parent-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.parent.macho.import_hash: - dashed_name: process-session-leader-parent-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.session_leader.parent.macho.imports: - dashed_name: process-session-leader-parent-macho-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.session_leader.parent.macho.imports_names_entropy: - dashed_name: process-session-leader-parent-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.parent.macho.imports_names_var_entropy: - dashed_name: process-session-leader-parent-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.parent.macho.sections: - dashed_name: process-session-leader-parent-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.session_leader.parent.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.session_leader.parent.macho.sections.entropy: - dashed_name: process-session-leader-parent-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.session_leader.parent.macho.sections.name: - dashed_name: process-session-leader-parent-macho-sections-name - description: Mach-O Section List name. - flat_name: process.session_leader.parent.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.session_leader.parent.macho.sections.physical_size: - dashed_name: process-session-leader-parent-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.session_leader.parent.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.session_leader.parent.macho.sections.var_entropy: - dashed_name: process-session-leader-parent-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.parent.macho.sections.virtual_size: - dashed_name: process-session-leader-parent-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.session_leader.parent.macho.symhash: - dashed_name: process-session-leader-parent-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.session_leader.parent.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.session_leader.parent.name: - dashed_name: process-session-leader-parent-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.parent.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.session_leader.parent.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.session_leader.parent.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.session_leader.parent.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.session_leader.parent.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.session_leader.parent.pe.architecture: - dashed_name: process-session-leader-parent-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.session_leader.parent.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.session_leader.parent.pe.company: - dashed_name: process-session-leader-parent-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.session_leader.parent.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.session_leader.parent.pe.description: - dashed_name: process-session-leader-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.session_leader.parent.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.session_leader.parent.pe.file_version: - dashed_name: process-session-leader-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.session_leader.parent.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.session_leader.parent.pe.go_import_hash: - dashed_name: process-session-leader-parent-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.session_leader.parent.pe.go_imports: - dashed_name: process-session-leader-parent-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.session_leader.parent.pe.go_imports_names_entropy: - dashed_name: process-session-leader-parent-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.pe.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.pe.go_stripped: - dashed_name: process-session-leader-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.parent.pe.imphash: - dashed_name: process-session-leader-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.session_leader.parent.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.session_leader.parent.pe.import_hash: - dashed_name: process-session-leader-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.session_leader.parent.pe.imports: - dashed_name: process-session-leader-parent-pe-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.session_leader.parent.pe.imports_names_entropy: - dashed_name: process-session-leader-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.parent.pe.imports_names_var_entropy: - dashed_name: process-session-leader-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.parent.pe.original_file_name: - dashed_name: process-session-leader-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.session_leader.parent.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.session_leader.parent.pe.pehash: - dashed_name: process-session-leader-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.session_leader.parent.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.session_leader.parent.pe.product: - dashed_name: process-session-leader-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.session_leader.parent.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.session_leader.parent.pe.sections: - dashed_name: process-session-leader-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.session_leader.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.session_leader.parent.pe.sections.entropy: - dashed_name: process-session-leader-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.session_leader.parent.pe.sections.name: - dashed_name: process-session-leader-parent-pe-sections-name - description: PE Section List name. - flat_name: process.session_leader.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.session_leader.parent.pe.sections.physical_size: - dashed_name: process-session-leader-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.session_leader.parent.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.session_leader.parent.pe.sections.var_entropy: - dashed_name: process-session-leader-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.parent.pe.sections.virtual_size: - dashed_name: process-session-leader-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.session_leader.parent.pid: - dashed_name: process-session-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.session_leader.parent.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.session_leader.parent.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.session_leader.parent.real_group.domain: - dashed_name: process-session-leader-parent-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.real_group.id: - dashed_name: process-session-leader-parent-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.real_group.name: - dashed_name: process-session-leader-parent-real-group-name - description: Name of the group. - flat_name: process.session_leader.parent.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.real_user.domain: - dashed_name: process-session-leader-parent-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.real_user.email: - dashed_name: process-session-leader-parent-real-user-email - description: User email address. - flat_name: process.session_leader.parent.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.real_user.entity.id: - dashed_name: process-session-leader-parent-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.real_user.full_name: - dashed_name: process-session-leader-parent-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.real_user.group.domain: - dashed_name: process-session-leader-parent-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.real_user.group.id: - dashed_name: process-session-leader-parent-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.real_user.group.name: - dashed_name: process-session-leader-parent-real-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.real_user.hash: - dashed_name: process-session-leader-parent-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.real_user.id: - dashed_name: process-session-leader-parent-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.parent.real_user.name: - dashed_name: process-session-leader-parent-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.parent.real_user.risk.calculated_level: - dashed_name: process-session-leader-parent-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.real_user.risk.calculated_score: - dashed_name: process-session-leader-parent-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.real_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.real_user.risk.static_level: - dashed_name: process-session-leader-parent-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.real_user.risk.static_score: - dashed_name: process-session-leader-parent-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.real_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.real_user.roles: - dashed_name: process-session-leader-parent-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.same_as_process: - dashed_name: process-session-leader-parent-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.session_leader.parent.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.session_leader.parent.saved_group.domain: - dashed_name: process-session-leader-parent-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.saved_group.id: - dashed_name: process-session-leader-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.saved_group.name: - dashed_name: process-session-leader-parent-saved-group-name - description: Name of the group. - flat_name: process.session_leader.parent.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.saved_user.domain: - dashed_name: process-session-leader-parent-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.saved_user.email: - dashed_name: process-session-leader-parent-saved-user-email - description: User email address. - flat_name: process.session_leader.parent.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.saved_user.entity.id: - dashed_name: process-session-leader-parent-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.saved_user.full_name: - dashed_name: process-session-leader-parent-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.saved_user.group.domain: - dashed_name: process-session-leader-parent-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.saved_user.group.id: - dashed_name: process-session-leader-parent-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.saved_user.group.name: - dashed_name: process-session-leader-parent-saved-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.saved_user.hash: - dashed_name: process-session-leader-parent-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.saved_user.id: - dashed_name: process-session-leader-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.parent.saved_user.name: - dashed_name: process-session-leader-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.parent.saved_user.risk.calculated_level: - dashed_name: process-session-leader-parent-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.saved_user.risk.calculated_score: - dashed_name: process-session-leader-parent-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.saved_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.saved_user.risk.static_level: - dashed_name: process-session-leader-parent-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.saved_user.risk.static_score: - dashed_name: process-session-leader-parent-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.saved_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.saved_user.roles: - dashed_name: process-session-leader-parent-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.args: - dashed_name: process-session-leader-parent-session-leader-args - description: 'Array of process arguments, starting with the absolute path to the - executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.parent.session_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword -process.session_leader.parent.session_leader.args_count: - dashed_name: process-session-leader-parent-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how many - arguments were provided to start a process. More arguments may be an indication - of suspicious activity.' - example: 4 - flat_name: process.session_leader.parent.session_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long -process.session_leader.parent.session_leader.attested_groups.domain: - dashed_name: process-session-leader-parent-session-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.attested_groups.id: - dashed_name: process-session-leader-parent-session-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.attested_groups.name: - dashed_name: process-session-leader-parent-session-leader-attested-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.attested_user.domain: - dashed_name: process-session-leader-parent-session-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.session_leader.attested_user.email: - dashed_name: process-session-leader-parent-session-leader-attested-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.session_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.session_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.id: - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.session_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.session_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.session_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.session_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.session_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.session_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.session_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.session_leader.attested_user.full_name: - dashed_name: process-session-leader-parent-session-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.session_leader.attested_user.group.domain: - dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.attested_user.group.id: - dashed_name: process-session-leader-parent-session-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.attested_user.group.name: - dashed_name: process-session-leader-parent-session-leader-attested-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.attested_user.hash: - dashed_name: process-session-leader-parent-session-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.session_leader.attested_user.id: - dashed_name: process-session-leader-parent-session-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.parent.session_leader.attested_user.name: - dashed_name: process-session-leader-parent-session-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.parent.session_leader.attested_user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.session_leader.attested_user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.session_leader.attested_user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.session_leader.attested_user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.session_leader.attested_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.session_leader.attested_user.roles: - dashed_name: process-session-leader-parent-session-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.code_signature.digest_algorithm: - dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times by - the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword -process.session_leader.parent.session_leader.code_signature.exists: - dashed_name: process-session-leader-parent-session-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.session_leader.parent.session_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -process.session_leader.parent.session_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.session_leader.parent.session_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword -process.session_leader.parent.session_leader.code_signature.signing_id: - dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.session_leader.parent.session_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -process.session_leader.parent.session_leader.code_signature.status: - dashed_name: process-session-leader-parent-session-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.session_leader.parent.session_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -process.session_leader.parent.session_leader.code_signature.subject_name: - dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.session_leader.parent.session_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -process.session_leader.parent.session_leader.code_signature.team_id: - dashed_name: process-session-leader-parent-session-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.session_leader.parent.session_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -process.session_leader.parent.session_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword -process.session_leader.parent.session_leader.code_signature.timestamp: - dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.session_leader.parent.session_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date -process.session_leader.parent.session_leader.code_signature.trusted: - dashed_name: process-session-leader-parent-session-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.session_leader.parent.session_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -process.session_leader.parent.session_leader.code_signature.valid: - dashed_name: process-session-leader-parent-session-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.session_leader.parent.session_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -process.session_leader.parent.session_leader.command_line: - dashed_name: process-session-leader-parent-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.parent.session_leader.command_line - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard -process.session_leader.parent.session_leader.elf.architecture: - dashed_name: process-session-leader-parent-session-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.session_leader.parent.session_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.byte_order: - dashed_name: process-session-leader-parent-session-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.session_leader.parent.session_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.cpu_type: - dashed_name: process-session-leader-parent-session-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.session_leader.parent.session_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.creation_date: - dashed_name: process-session-leader-parent-session-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: process.session_leader.parent.session_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -process.session_leader.parent.session_leader.elf.exports: - dashed_name: process-session-leader-parent-session-leader-elf-exports - description: List of exported element names and types. - flat_name: process.session_leader.parent.session_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -process.session_leader.parent.session_leader.elf.go_import_hash: - dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.session_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.go_imports: - dashed_name: process-session-leader-parent-session-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.session_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened -process.session_leader.parent.session_leader.elf.go_imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.session_leader.elf.go_stripped: - dashed_name: process-session-leader-parent-session-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.session_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.parent.session_leader.elf.header.abi_version: - dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.session_leader.parent.session_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -process.session_leader.parent.session_leader.elf.header.class: - dashed_name: process-session-leader-parent-session-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.session_leader.parent.session_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.header.data: - dashed_name: process-session-leader-parent-session-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.session_leader.parent.session_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword -process.session_leader.parent.session_leader.elf.header.entrypoint: - dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -process.session_leader.parent.session_leader.elf.header.object_version: - dashed_name: process-session-leader-parent-session-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.session_leader.parent.session_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -process.session_leader.parent.session_leader.elf.header.os_abi: - dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.session_leader.parent.session_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -process.session_leader.parent.session_leader.elf.header.type: - dashed_name: process-session-leader-parent-session-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.session_leader.parent.session_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.header.version: - dashed_name: process-session-leader-parent-session-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.session_leader.parent.session_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -process.session_leader.parent.session_leader.elf.import_hash: - dashed_name: process-session-leader-parent-session-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.session_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword -process.session_leader.parent.session_leader.elf.imports: - dashed_name: process-session-leader-parent-session-leader-elf-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.session_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -process.session_leader.parent.session_leader.elf.imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.parent.session_leader.elf.imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.parent.session_leader.elf.sections: - dashed_name: process-session-leader-parent-session-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: process.session_leader.parent.session_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -process.session_leader.parent.session_leader.elf.sections.chi2: - dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.session_leader.parent.session_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -process.session_leader.parent.session_leader.elf.sections.entropy: - dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -process.session_leader.parent.session_leader.elf.sections.flags: - dashed_name: process-session-leader-parent-session-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.session_leader.parent.session_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword -process.session_leader.parent.session_leader.elf.sections.name: - dashed_name: process-session-leader-parent-session-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.session_leader.parent.session_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword -process.session_leader.parent.session_leader.elf.sections.physical_offset: - dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -process.session_leader.parent.session_leader.elf.sections.physical_size: - dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -process.session_leader.parent.session_leader.elf.sections.type: - dashed_name: process-session-leader-parent-session-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.session_leader.parent.session_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword -process.session_leader.parent.session_leader.elf.sections.var_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.parent.session_leader.elf.sections.virtual_address: - dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -process.session_leader.parent.session_leader.elf.sections.virtual_size: - dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -process.session_leader.parent.session_leader.elf.segments: - dashed_name: process-session-leader-parent-session-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: process.session_leader.parent.session_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -process.session_leader.parent.session_leader.elf.segments.sections: - dashed_name: process-session-leader-parent-session-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.session_leader.parent.session_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword -process.session_leader.parent.session_leader.elf.segments.type: - dashed_name: process-session-leader-parent-session-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.session_leader.parent.session_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword -process.session_leader.parent.session_leader.elf.shared_libraries: - dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.session_leader.parent.session_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -process.session_leader.parent.session_leader.elf.telfhash: - dashed_name: process-session-leader-parent-session-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.session_leader.parent.session_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -process.session_leader.parent.session_leader.end: - dashed_name: process-session-leader-parent-session-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.session_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date -process.session_leader.parent.session_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.session_leader.parent.session_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean -process.session_leader.parent.session_leader.entity_id: - dashed_name: process-session-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate PID - reuse as well as to identify a specific process over time, across multiple monitored - hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.session_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.address: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event will - sometimes list an IP, a domain or a unix socket. You should always store the - raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one it - is.' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.as.number: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -process.session_leader.parent.session_leader.entry_meta.source.as.organization.name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.bytes: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long -process.session_leader.parent.session_leader.entry_meta.source.domain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from enrichment.' - example: foo.example.com - flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.city_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.country_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.location: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -process.session_leader.parent.session_leader.entry_meta.source.geo.name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.region_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.geo.timezone: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.ip: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip -process.session_leader.parent.session_leader.entry_meta.source.mac: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) - is represented by two [uppercase] hexadecimal digits giving the value of the octet - as an unsigned integer. Successive octets are separated by a hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.nat.ip: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client to - internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip -process.session_leader.parent.session_leader.entry_meta.source.nat.port: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long -process.session_leader.parent.session_leader.entry_meta.source.packets: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long -process.session_leader.parent.session_leader.entry_meta.source.port: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.session_leader.parent.session_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long -process.session_leader.parent.session_leader.entry_meta.source.registered_domain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.subdomain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword -process.session_leader.parent.session_leader.entry_meta.source.top_level_domain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (https://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword -process.session_leader.parent.session_leader.entry_meta.type: - dashed_name: process-session-leader-parent-session-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.session_leader.parent.session_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword -process.session_leader.parent.session_leader.env_vars: - dashed_name: process-session-leader-parent-session-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot of - the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.session_leader.parent.session_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.executable: - dashed_name: process-session-leader-parent-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.parent.session_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword -process.session_leader.parent.session_leader.exit_code: - dashed_name: process-session-leader-parent-session-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.session_leader.parent.session_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long -process.session_leader.parent.session_leader.group.domain: - dashed_name: process-session-leader-parent-session-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.group.id: - dashed_name: process-session-leader-parent-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.group.name: - dashed_name: process-session-leader-parent-session-leader-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.session_leader.parent.session_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword -process.session_leader.parent.session_leader.hash.md5: - dashed_name: process-session-leader-parent-session-leader-hash-md5 - description: MD5 hash. - flat_name: process.session_leader.parent.session_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -process.session_leader.parent.session_leader.hash.sha1: - dashed_name: process-session-leader-parent-session-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -process.session_leader.parent.session_leader.hash.sha256: - dashed_name: process-session-leader-parent-session-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -process.session_leader.parent.session_leader.hash.sha384: - dashed_name: process-session-leader-parent-session-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword -process.session_leader.parent.session_leader.hash.sha512: - dashed_name: process-session-leader-parent-session-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -process.session_leader.parent.session_leader.hash.ssdeep: - dashed_name: process-session-leader-parent-session-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.session_leader.parent.session_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -process.session_leader.parent.session_leader.hash.tlsh: - dashed_name: process-session-leader-parent-session-leader-hash-tlsh - description: TLSH hash. - flat_name: process.session_leader.parent.session_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword -process.session_leader.parent.session_leader.interactive: - dashed_name: process-session-leader-parent-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If the - character device for the controlling tty is the same as stdin and stderr for the - process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is simply - one that does not have open file descriptors reading the controlling TTY on FD - 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process - is still considered interactive if stdin and stderr are connected to the controlling - TTY.' - example: true - flat_name: process.session_leader.parent.session_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean -process.session_leader.parent.session_leader.io: - dashed_name: process-session-leader-parent-session-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.session_leader.parent.session_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object -process.session_leader.parent.session_leader.io.bytes_skipped: - dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has been - skipped. - flat_name: process.session_leader.parent.session_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been skipped. - type: object -process.session_leader.parent.session_leader.io.bytes_skipped.length: - dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long -process.session_leader.parent.session_leader.io.bytes_skipped.offset: - dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) where - length bytes were skipped. - type: long -process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean -process.session_leader.parent.session_leader.io.text: - dashed_name: process-session-leader-parent-session-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. Assumptions - should NOT be made that multiple lines will appear in the same event. TTY output - may contain terminal control codes such as for cursor movement, so some string - queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.session_leader.parent.session_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard -process.session_leader.parent.session_leader.io.total_bytes_captured: - dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long -process.session_leader.parent.session_leader.io.total_bytes_skipped: - dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation restrictions - such as buffer size limits. - type: long -process.session_leader.parent.session_leader.io.type: - dashed_name: process-session-leader-parent-session-leader-io-type - description: 'The type of object on which the IO action (read or write) was taken. - - Currently only ''tty'' is supported. Other types may be added in the future for - ''file'' and ''socket'' support.' - flat_name: process.session_leader.parent.session_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword -process.session_leader.parent.session_leader.macho.go_import_hash: - dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.session_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword -process.session_leader.parent.session_leader.macho.go_imports: - dashed_name: process-session-leader-parent-session-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.session_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened -process.session_leader.parent.session_leader.macho.go_imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.session_leader.macho.go_stripped: - dashed_name: process-session-leader-parent-session-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.session_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.parent.session_leader.macho.import_hash: - dashed_name: process-session-leader-parent-session-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.session_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.session_leader.parent.session_leader.macho.imports: - dashed_name: process-session-leader-parent-session-leader-macho-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.session_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened -process.session_leader.parent.session_leader.macho.imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.parent.session_leader.macho.imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.parent.session_leader.macho.sections: - dashed_name: process-session-leader-parent-session-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields underneath - `macho.sections.*`.' - flat_name: process.session_leader.parent.session_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested -process.session_leader.parent.session_leader.macho.sections.entropy: - dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long -process.session_leader.parent.session_leader.macho.sections.name: - dashed_name: process-session-leader-parent-session-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.session_leader.parent.session_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword -process.session_leader.parent.session_leader.macho.sections.physical_size: - dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long -process.session_leader.parent.session_leader.macho.sections.var_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.parent.session_leader.macho.sections.virtual_size: - dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long -process.session_leader.parent.session_leader.macho.symhash: - dashed_name: process-session-leader-parent-session-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.session_leader.parent.session_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword -process.session_leader.parent.session_leader.name: - dashed_name: process-session-leader-parent-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.parent.session_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword -process.session_leader.parent.session_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable file. - example: http://example.com/article1.html - flat_name: process.session_leader.parent.session_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword -process.session_leader.parent.session_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.session_leader.parent.session_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword -process.session_leader.parent.session_leader.pe.architecture: - dashed_name: process-session-leader-parent-session-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.session_leader.parent.session_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -process.session_leader.parent.session_leader.pe.company: - dashed_name: process-session-leader-parent-session-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.session_leader.parent.session_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.session_leader.parent.session_leader.pe.description: - dashed_name: process-session-leader-parent-session-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.session_leader.parent.session_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.session_leader.parent.session_leader.pe.file_version: - dashed_name: process-session-leader-parent-session-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.session_leader.parent.session_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.session_leader.parent.session_leader.pe.go_import_hash: - dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would change - more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.session_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword -process.session_leader.parent.session_leader.pe.go_imports: - dashed_name: process-session-leader-parent-session-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.session_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened -process.session_leader.parent.session_leader.pe.go_imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long -process.session_leader.parent.session_leader.pe.go_stripped: - dashed_name: process-session-leader-parent-session-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.session_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean -process.session_leader.parent.session_leader.pe.imphash: - dashed_name: process-session-leader-parent-session-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.session_leader.parent.session_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.session_leader.parent.session_leader.pe.import_hash: - dashed_name: process-session-leader-parent-session-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used to - fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.session_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.session_leader.parent.session_leader.pe.imports: - dashed_name: process-session-leader-parent-session-leader-pe-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.session_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened -process.session_leader.parent.session_leader.pe.imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and types. - type: long -process.session_leader.parent.session_leader.pe.imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long -process.session_leader.parent.session_leader.pe.original_file_name: - dashed_name: process-session-leader-parent-session-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.session_leader.parent.session_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.session_leader.parent.session_leader.pe.pehash: - dashed_name: process-session-leader-parent-session-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. An - pehash can be used to cluster files by transforming structural information about - a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.session_leader.parent.session_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword -process.session_leader.parent.session_leader.pe.product: - dashed_name: process-session-leader-parent-session-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.session_leader.parent.session_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.session_leader.parent.session_leader.pe.sections: - dashed_name: process-session-leader-parent-session-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields underneath - `pe.sections.*`.' - flat_name: process.session_leader.parent.session_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested -process.session_leader.parent.session_leader.pe.sections.entropy: - dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long -process.session_leader.parent.session_leader.pe.sections.name: - dashed_name: process-session-leader-parent-session-leader-pe-sections-name - description: PE Section List name. - flat_name: process.session_leader.parent.session_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword -process.session_leader.parent.session_leader.pe.sections.physical_size: - dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long -process.session_leader.parent.session_leader.pe.sections.var_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long -process.session_leader.parent.session_leader.pe.sections.virtual_size: - dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long -process.session_leader.parent.session_leader.pid: - dashed_name: process-session-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long -process.session_leader.parent.session_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.session_leader.parent.session_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.session_leader.parent.session_leader.real_group.domain: - dashed_name: process-session-leader-parent-session-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.real_group.id: - dashed_name: process-session-leader-parent-session-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.real_group.name: - dashed_name: process-session-leader-parent-session-leader-real-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.real_user.domain: - dashed_name: process-session-leader-parent-session-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.session_leader.real_user.email: - dashed_name: process-session-leader-parent-session-leader-real-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.session_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.session_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.id: - dashed_name: process-session-leader-parent-session-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.session_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.session_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.session_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.session_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.session_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.session_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.session_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.session_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.session_leader.real_user.full_name: - dashed_name: process-session-leader-parent-session-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.session_leader.real_user.group.domain: - dashed_name: process-session-leader-parent-session-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.real_user.group.id: - dashed_name: process-session-leader-parent-session-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.real_user.group.name: - dashed_name: process-session-leader-parent-session-leader-real-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.real_user.hash: - dashed_name: process-session-leader-parent-session-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.session_leader.real_user.id: - dashed_name: process-session-leader-parent-session-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.parent.session_leader.real_user.name: - dashed_name: process-session-leader-parent-session-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.parent.session_leader.real_user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.session_leader.real_user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.session_leader.real_user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.session_leader.real_user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.session_leader.real_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.session_leader.real_user.roles: - dashed_name: process-session-leader-parent-session-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.same_as_process: - dashed_name: process-session-leader-parent-session-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.session_leader.parent.session_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.session_leader.parent.session_leader.saved_group.domain: - dashed_name: process-session-leader-parent-session-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.saved_group.id: - dashed_name: process-session-leader-parent-session-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.saved_group.name: - dashed_name: process-session-leader-parent-session-leader-saved-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.saved_user.domain: - dashed_name: process-session-leader-parent-session-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.session_leader.saved_user.email: - dashed_name: process-session-leader-parent-session-leader-saved-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.session_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.session_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.id: - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.session_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.session_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.session_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.session_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.session_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.session_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.session_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.session_leader.saved_user.full_name: - dashed_name: process-session-leader-parent-session-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.session_leader.saved_user.group.domain: - dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.saved_user.group.id: - dashed_name: process-session-leader-parent-session-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.saved_user.group.name: - dashed_name: process-session-leader-parent-session-leader-saved-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.saved_user.hash: - dashed_name: process-session-leader-parent-session-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.session_leader.saved_user.id: - dashed_name: process-session-leader-parent-session-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword -process.session_leader.parent.session_leader.saved_user.name: - dashed_name: process-session-leader-parent-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword -process.session_leader.parent.session_leader.saved_user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.session_leader.saved_user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.session_leader.saved_user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.session_leader.saved_user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.session_leader.saved_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.session_leader.saved_user.roles: - dashed_name: process-session-leader-parent-session-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.start: - dashed_name: process-session-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.session_leader.parent.session_leader.supplemental_groups.domain: - dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.session_leader.supplemental_groups.id: - dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.session_leader.supplemental_groups.name: - dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.session_leader.thread.capabilities.effective: - dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.thread.capabilities.permitted: - dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.thread.id: - dashed_name: process-session-leader-parent-session-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.session_leader.parent.session_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.session_leader.parent.session_leader.thread.name: - dashed_name: process-session-leader-parent-session-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.session_leader.parent.session_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.session_leader.parent.session_leader.title: - dashed_name: process-session-leader-parent-session-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.session_leader.parent.session_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword -process.session_leader.parent.session_leader.tty: - dashed_name: process-session-leader-parent-session-leader-tty - description: Information about the controlling TTY device. If set, the process belongs - to an interactive session. - flat_name: process.session_leader.parent.session_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object -process.session_leader.parent.session_leader.tty.char_device.major: - dashed_name: process-session-leader-parent-session-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.session_leader.parent.session_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long -process.session_leader.parent.session_leader.tty.char_device.minor: - dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to the - driver. It is common for a driver to control several devices; the minor number - provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.session_leader.parent.session_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long -process.session_leader.parent.session_leader.tty.columns: - dashed_name: process-session-leader-parent-session-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.session_leader.parent.session_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.session_leader.parent.session_leader.tty.rows: - dashed_name: process-session-leader-parent-session-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.session_leader.parent.session_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.session_leader.parent.session_leader.uptime: - dashed_name: process-session-leader-parent-session-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.session_leader.parent.session_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.session_leader.parent.session_leader.user.domain: - dashed_name: process-session-leader-parent-session-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.session_leader.user.email: - dashed_name: process-session-leader-parent-session-leader-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.session_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.session_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.user.entity.behavior +process.parent.pe.go_stripped: + dashed_name: process-parent-pe-go-stripped + description: Set to true if the file is a Go executable that has had its symbols + stripped or obfuscated and false if an unobfuscated Go executable. + flat_name: process.parent.pe.go_stripped level: extended - name: behavior + name: go_stripped normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.session_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.user.entity.display_name + original_fieldset: pe + short: Whether the file is a stripped or obfuscated Go executable. + type: boolean +process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.pe.imphash ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name + name: imphash normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -process.session_leader.parent.session_leader.user.entity.id: - dashed_name: process-session-leader-parent-session-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.session_leader.user.entity.id +process.parent.pe.import_hash: + dashed_name: process-parent-pe-import-hash + description: 'A hash of the imports in a PE file. An import hash can be used to + fingerprint binaries even after recompilation or other code-level transformations + have occurred, which would change more traditional hash values. + + This is a synonym for imphash.' + example: d41d8cd98f00b204e9800998ecf8427e + flat_name: process.parent.pe.import_hash ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.session_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp level: extended - name: last_seen_timestamp + name: import_hash normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.session_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of imported element names and types. + flat_name: process.parent.pe.imports level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.session_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.user.entity.metrics + name: imports + normalize: + - array + original_fieldset: pe + short: List of imported element names and types. + type: flattened +process.parent.pe.imports_names_entropy: + dashed_name: process-parent-pe-imports-names-entropy + description: Shannon entropy calculation from the list of imported element names + and types. + flat_name: process.parent.pe.imports_names_entropy + format: number level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.session_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.entity.name.text - name: text - type: match_only_text - name: name + name: imports_names_entropy normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.session_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.session_leader.user.entity.raw + original_fieldset: pe + short: Shannon entropy calculation from the list of imported element names and types. + type: long +process.parent.pe.imports_names_var_entropy: + dashed_name: process-parent-pe-imports-names-var-entropy + description: Variance for Shannon entropy calculation from the list of imported + element names and types. + flat_name: process.parent.pe.imports_names_var_entropy + format: number level: extended - name: raw + name: imports_names_var_entropy normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.session_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.user.entity.reference + original_fieldset: pe + short: Variance for Shannon entropy calculation from the list of imported element + names and types. + type: long +process.parent.pe.original_file_name: + dashed_name: process-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.pe.original_file_name ignore_above: 1024 level: extended - name: reference + name: original_file_name normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. type: keyword -process.session_leader.parent.session_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.session_leader.user.entity.source +process.parent.pe.pehash: + dashed_name: process-parent-pe-pehash + description: 'A hash of the PE header and data from one or more PE sections. An + pehash can be used to cluster files by transforming structural information about + a file into a hash value. + + Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' + example: 73ff189b63cd6be375a7ff25179a38d347651975 + flat_name: process.parent.pe.pehash ignore_above: 1024 - level: core - name: source + level: extended + name: pehash normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. + original_fieldset: pe + short: A hash of the PE header and data from one or more PE sections. type: keyword -process.session_leader.parent.session_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.user.entity.sub_type +process.parent.pe.product: + dashed_name: process-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + flat_name: process.parent.pe.product ignore_above: 1024 level: extended - name: sub_type + name: product normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword -process.session_leader.parent.session_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.user.entity.type - ignore_above: 1024 - level: core - name: type +process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: 'An array containing an object for each section of the PE file. + + The keys that should be present in these objects are defined by sub-fields underneath + `pe.sections.*`.' + flat_name: process.parent.pe.sections + level: extended + name: sections normalize: - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.session_leader.user.full_name: - dashed_name: process-session-leader-parent-session-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.user.full_name - ignore_above: 1024 + original_fieldset: pe + short: Section information of the PE file. + type: nested +process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.pe.sections.entropy + format: number level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.full_name.text - name: text - type: match_only_text - name: full_name + name: sections.entropy normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.session_leader.user.group.domain: - dashed_name: process-session-leader-parent-session-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.user.group.domain + original_fieldset: pe + short: Shannon entropy calculation from the section. + type: long +process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: PE Section List name. + flat_name: process.parent.pe.sections.name ignore_above: 1024 level: extended - name: domain + name: sections.name normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. + original_fieldset: pe + short: PE Section List name. type: keyword -process.session_leader.parent.session_leader.user.group.id: - dashed_name: process-session-leader-parent-session-leader-user-group-id +process.parent.pe.sections.physical_size: + dashed_name: process-parent-pe-sections-physical-size + description: PE Section List physical size. + flat_name: process.parent.pe.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: pe + short: PE Section List physical size. + type: long +process.parent.pe.sections.var_entropy: + dashed_name: process-parent-pe-sections-var-entropy + description: Variance for Shannon entropy calculation from the section. + flat_name: process.parent.pe.sections.var_entropy + format: number + level: extended + name: sections.var_entropy + normalize: [] + original_fieldset: pe + short: Variance for Shannon entropy calculation from the section. + type: long +process.parent.pe.sections.virtual_size: + dashed_name: process-parent-pe-sections-virtual-size + description: PE Section List virtual size. This is always the same as `physical_size`. + flat_name: process.parent.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long +process.parent.pid: + dashed_name: process-parent-pid + description: Process id. + example: 4242 + flat_name: process.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.parent.real_group.id: + dashed_name: process-parent-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.user.group.id + flat_name: process.parent.real_group.id ignore_above: 1024 level: extended name: id @@ -56462,10 +13465,10 @@ process.session_leader.parent.session_leader.user.group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.parent.session_leader.user.group.name: - dashed_name: process-session-leader-parent-session-leader-user-group-name +process.parent.real_group.name: + dashed_name: process-parent-real-group-name description: Name of the group. - flat_name: process.session_leader.parent.session_leader.user.group.name + flat_name: process.parent.real_group.name ignore_above: 1024 level: extended name: name @@ -56473,26 +13476,11 @@ process.session_leader.parent.session_leader.user.group.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.parent.session_leader.user.hash: - dashed_name: process-session-leader-parent-session-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.session_leader.user.id: - dashed_name: process-session-leader-parent-session-leader-user-id +process.parent.real_user.id: + dashed_name: process-parent-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.user.id + flat_name: process.parent.real_user.id ignore_above: 1024 level: core name: id @@ -56500,15 +13488,15 @@ process.session_leader.parent.session_leader.user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.session_leader.parent.session_leader.user.name: - dashed_name: process-session-leader-parent-session-leader-user-name +process.parent.real_user.name: + dashed_name: process-parent-real-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.session_leader.parent.session_leader.user.name + flat_name: process.parent.real_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.name.text + - flat_name: process.parent.real_user.name.text name: text type: match_only_text name: name @@ -56516,160 +13504,71 @@ process.session_leader.parent.session_leader.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.session_leader.parent.session_leader.user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level +process.parent.saved_group.id: + dashed_name: process-parent-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.saved_group.id ignore_above: 1024 level: extended - name: calculated_level + name: id normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.parent.session_leader.user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.session_leader.user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.session_leader.user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.user.risk.static_level +process.parent.saved_group.name: + dashed_name: process-parent-saved-group-name + description: Name of the group. + flat_name: process.parent.saved_group.name ignore_above: 1024 level: extended - name: static_level + name: name normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. + original_fieldset: group + short: Name of the group. type: keyword -process.session_leader.parent.session_leader.user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.session_leader.user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.session_leader.user.roles: - dashed_name: process-session-leader-parent-session-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.user.roles +process.parent.saved_user.id: + dashed_name: process-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.saved_user.id ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.session_leader.vpid: - dashed_name: process-session-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across all - processes on the host but it is unique within the process namespace that the process - exists within.' - example: 4242 - flat_name: process.session_leader.parent.session_leader.vpid - format: string level: core - name: vpid + name: id normalize: [] - original_fieldset: process - short: Virtual process id. - type: long -process.session_leader.parent.session_leader.working_directory: - dashed_name: process-session-leader-parent-session-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.session_leader.parent.session_leader.working_directory + original_fieldset: user + short: Unique identifier of the user. + type: keyword +process.parent.saved_user.name: + dashed_name: process-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.saved_user.name ignore_above: 1024 - level: extended + level: core multi_fields: - - flat_name: process.session_leader.parent.session_leader.working_directory.text + - flat_name: process.parent.saved_user.name.text name: text type: match_only_text - name: working_directory + name: name normalize: [] - original_fieldset: process - short: The working directory of the process. + original_fieldset: user + short: Short name or login of the user. type: keyword -process.session_leader.parent.start: - dashed_name: process-session-leader-parent-start +process.parent.start: + dashed_name: process-parent-start description: The time the process started. example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date -process.session_leader.parent.supplemental_groups.domain: - dashed_name: process-session-leader-parent-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.supplemental_groups.domain - ignore_above: 1024 + flat_name: process.parent.start level: extended - name: domain + name: start normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.supplemental_groups.id: - dashed_name: process-session-leader-parent-supplemental-groups-id + original_fieldset: process + short: The time the process started. + type: date +process.parent.supplemental_groups.id: + dashed_name: process-parent-supplemental-groups-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.supplemental_groups.id + flat_name: process.parent.supplemental_groups.id ignore_above: 1024 level: extended name: id @@ -56677,10 +13576,10 @@ process.session_leader.parent.supplemental_groups.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.parent.supplemental_groups.name: - dashed_name: process-session-leader-parent-supplemental-groups-name +process.parent.supplemental_groups.name: + dashed_name: process-parent-supplemental-groups-name description: Name of the group. - flat_name: process.session_leader.parent.supplemental_groups.name + flat_name: process.parent.supplemental_groups.name ignore_above: 1024 level: extended name: name @@ -56688,12 +13587,12 @@ process.session_leader.parent.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.parent.thread.capabilities.effective: - dashed_name: process-session-leader-parent-thread-capabilities-effective +process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective description: This is the set of capabilities used by the kernel to perform permission checks for the thread. example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.thread.capabilities.effective + flat_name: process.parent.thread.capabilities.effective ignore_above: 1024 level: extended name: thread.capabilities.effective @@ -56704,12 +13603,12 @@ process.session_leader.parent.thread.capabilities.effective: short: Array of capabilities used for permission checks. synthetic_source_keep: none type: keyword -process.session_leader.parent.thread.capabilities.permitted: - dashed_name: process-session-leader-parent-thread-capabilities-permitted +process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted description: This is a limiting superset for the effective capabilities that the thread may assume. example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.thread.capabilities.permitted + flat_name: process.parent.thread.capabilities.permitted ignore_above: 1024 level: extended name: thread.capabilities.permitted @@ -56720,11 +13619,11 @@ process.session_leader.parent.thread.capabilities.permitted: short: Array of capabilities a thread could assume. synthetic_source_keep: none type: keyword -process.session_leader.parent.thread.id: - dashed_name: process-session-leader-parent-thread-id +process.parent.thread.id: + dashed_name: process-parent-thread-id description: Thread ID. example: 4242 - flat_name: process.session_leader.parent.thread.id + flat_name: process.parent.thread.id format: string level: extended name: thread.id @@ -56732,11 +13631,11 @@ process.session_leader.parent.thread.id: original_fieldset: process short: Thread ID. type: long -process.session_leader.parent.thread.name: - dashed_name: process-session-leader-parent-thread-name +process.parent.thread.name: + dashed_name: process-parent-thread-name description: Thread name. example: thread-0 - flat_name: process.session_leader.parent.thread.name + flat_name: process.parent.thread.name ignore_above: 1024 level: extended name: thread.name @@ -56744,17 +13643,17 @@ process.session_leader.parent.thread.name: original_fieldset: process short: Thread name. type: keyword -process.session_leader.parent.title: - dashed_name: process-session-leader-parent-title +process.parent.title: + dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - flat_name: process.session_leader.parent.title + flat_name: process.parent.title ignore_above: 1024 level: extended multi_fields: - - flat_name: process.session_leader.parent.title.text + - flat_name: process.parent.title.text name: text type: match_only_text name: title @@ -56762,436 +13661,61 @@ process.session_leader.parent.title: original_fieldset: process short: Process title. type: keyword -process.session_leader.parent.tty: - dashed_name: process-session-leader-parent-tty +process.parent.tty: + dashed_name: process-parent-tty description: Information about the controlling TTY device. If set, the process belongs to an interactive session. - flat_name: process.session_leader.parent.tty + flat_name: process.parent.tty level: extended name: tty normalize: [] original_fieldset: process short: Information about the controlling TTY device. type: object -process.session_leader.parent.tty.char_device.major: - dashed_name: process-session-leader-parent-tty-char-device-major +process.parent.tty.char_device.major: + dashed_name: process-parent-tty-char-device-major description: The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation. example: 4 - flat_name: process.session_leader.parent.tty.char_device.major + flat_name: process.parent.tty.char_device.major level: extended name: tty.char_device.major normalize: [] original_fieldset: process short: The TTY character device's major number. type: long -process.session_leader.parent.tty.char_device.minor: - dashed_name: process-session-leader-parent-tty-char-device-minor +process.parent.tty.char_device.minor: + dashed_name: process-parent-tty-char-device-minor description: The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them. example: 1 - flat_name: process.session_leader.parent.tty.char_device.minor + flat_name: process.parent.tty.char_device.minor level: extended name: tty.char_device.minor normalize: [] original_fieldset: process short: The TTY character device's minor number. type: long -process.session_leader.parent.tty.columns: - dashed_name: process-session-leader-parent-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.session_leader.parent.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.session_leader.parent.tty.rows: - dashed_name: process-session-leader-parent-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.session_leader.parent.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.session_leader.parent.uptime: - dashed_name: process-session-leader-parent-uptime +process.parent.uptime: + dashed_name: process-parent-uptime description: Seconds the process has been up. example: 1325 - flat_name: process.session_leader.parent.uptime + flat_name: process.parent.uptime level: extended name: uptime normalize: [] original_fieldset: process short: Seconds the process has been up. type: long -process.session_leader.parent.user.domain: - dashed_name: process-session-leader-parent-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.parent.user.email: - dashed_name: process-session-leader-parent-user-email - description: User email address. - flat_name: process.session_leader.parent.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.parent.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.parent.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.parent.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.parent.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.parent.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.parent.user.entity.id: - dashed_name: process-session-leader-parent-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.parent.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.parent.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.parent.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.parent.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.parent.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.parent.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.parent.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.parent.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.parent.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.parent.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.parent.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.parent.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.parent.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.parent.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.parent.user.full_name: - dashed_name: process-session-leader-parent-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.parent.user.group.domain: - dashed_name: process-session-leader-parent-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.parent.user.group.id: - dashed_name: process-session-leader-parent-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.parent.user.group.name: - dashed_name: process-session-leader-parent-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.parent.user.hash: - dashed_name: process-session-leader-parent-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.parent.user.id: - dashed_name: process-session-leader-parent-user-id +process.parent.user.id: + dashed_name: process-parent-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.user.id + flat_name: process.parent.user.id ignore_above: 1024 level: core name: id @@ -57199,15 +13723,15 @@ process.session_leader.parent.user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.session_leader.parent.user.name: - dashed_name: process-session-leader-parent-user-name +process.parent.user.name: + dashed_name: process-parent-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.session_leader.parent.user.name + flat_name: process.parent.user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.session_leader.parent.user.name.text + - flat_name: process.parent.user.name.text name: text type: match_only_text name: name @@ -57215,109 +13739,15 @@ process.session_leader.parent.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.session_leader.parent.user.risk.calculated_level: - dashed_name: process-session-leader-parent-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.parent.user.risk.calculated_score: - dashed_name: process-session-leader-parent-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.parent.user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.parent.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.parent.user.risk.static_level: - dashed_name: process-session-leader-parent-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.parent.user.risk.static_score: - dashed_name: process-session-leader-parent-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.parent.user.risk.static_score_norm: - dashed_name: process-session-leader-parent-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.parent.user.roles: - dashed_name: process-session-leader-parent-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword -process.session_leader.parent.vpid: - dashed_name: process-session-leader-parent-vpid +process.parent.vpid: + dashed_name: process-parent-vpid description: 'Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.' example: 4242 - flat_name: process.session_leader.parent.vpid + flat_name: process.parent.vpid format: string level: core name: vpid @@ -57325,15 +13755,15 @@ process.session_leader.parent.vpid: original_fieldset: process short: Virtual process id. type: long -process.session_leader.parent.working_directory: - dashed_name: process-session-leader-parent-working-directory +process.parent.working_directory: + dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice - flat_name: process.session_leader.parent.working_directory + flat_name: process.parent.working_directory ignore_above: 1024 level: extended multi_fields: - - flat_name: process.session_leader.parent.working_directory.text + - flat_name: process.parent.working_directory.text name: text type: match_only_text name: working_directory @@ -57341,11 +13771,11 @@ process.session_leader.parent.working_directory: original_fieldset: process short: The working directory of the process. type: keyword -process.session_leader.pe.architecture: - dashed_name: process-session-leader-pe-architecture +process.pe.architecture: + dashed_name: process-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: process.session_leader.pe.architecture + flat_name: process.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -57353,11 +13783,11 @@ process.session_leader.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -process.session_leader.pe.company: - dashed_name: process-session-leader-pe-company +process.pe.company: + dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: process.session_leader.pe.company + flat_name: process.pe.company ignore_above: 1024 level: extended name: company @@ -57365,11 +13795,11 @@ process.session_leader.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -process.session_leader.pe.description: - dashed_name: process-session-leader-pe-description +process.pe.description: + dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: process.session_leader.pe.description + flat_name: process.pe.description ignore_above: 1024 level: extended name: description @@ -57377,11 +13807,11 @@ process.session_leader.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -process.session_leader.pe.file_version: - dashed_name: process-session-leader-pe-file-version +process.pe.file_version: + dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: process.session_leader.pe.file_version + flat_name: process.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -57389,8 +13819,8 @@ process.session_leader.pe.file_version: original_fieldset: pe short: Process name. type: keyword -process.session_leader.pe.go_import_hash: - dashed_name: process-session-leader-pe-go-import-hash +process.pe.go_import_hash: + dashed_name: process-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change @@ -57399,7 +13829,7 @@ process.session_leader.pe.go_import_hash: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.pe.go_import_hash + flat_name: process.pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -57407,20 +13837,20 @@ process.session_leader.pe.go_import_hash: original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword -process.session_leader.pe.go_imports: - dashed_name: process-session-leader-pe-go-imports +process.pe.go_imports: + dashed_name: process-pe-go-imports description: List of imported Go language element names and types. - flat_name: process.session_leader.pe.go_imports + flat_name: process.pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened -process.session_leader.pe.go_imports_names_entropy: - dashed_name: process-session-leader-pe-go-imports-names-entropy +process.pe.go_imports_names_entropy: + dashed_name: process-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.pe.go_imports_names_entropy + flat_name: process.pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -57428,10 +13858,10 @@ process.session_leader.pe.go_imports_names_entropy: original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long -process.session_leader.pe.go_imports_names_var_entropy: - dashed_name: process-session-leader-pe-go-imports-names-var-entropy +process.pe.go_imports_names_var_entropy: + dashed_name: process-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.pe.go_imports_names_var_entropy + flat_name: process.pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -57439,26 +13869,26 @@ process.session_leader.pe.go_imports_names_var_entropy: original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long -process.session_leader.pe.go_stripped: - dashed_name: process-session-leader-pe-go-stripped +process.pe.go_stripped: + dashed_name: process-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.pe.go_stripped + flat_name: process.pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean -process.session_leader.pe.imphash: - dashed_name: process-session-leader-pe-imphash +process.pe.imphash: + dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.session_leader.pe.imphash + flat_name: process.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -57466,15 +13896,15 @@ process.session_leader.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -process.session_leader.pe.import_hash: - dashed_name: process-session-leader-pe-import-hash +process.pe.import_hash: + dashed_name: process-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.pe.import_hash + flat_name: process.pe.import_hash ignore_above: 1024 level: extended name: import_hash @@ -57482,10 +13912,10 @@ process.session_leader.pe.import_hash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -process.session_leader.pe.imports: - dashed_name: process-session-leader-pe-imports +process.pe.imports: + dashed_name: process-pe-imports description: List of imported element names and types. - flat_name: process.session_leader.pe.imports + flat_name: process.pe.imports level: extended name: imports normalize: @@ -57493,11 +13923,11 @@ process.session_leader.pe.imports: original_fieldset: pe short: List of imported element names and types. type: flattened -process.session_leader.pe.imports_names_entropy: - dashed_name: process-session-leader-pe-imports-names-entropy +process.pe.imports_names_entropy: + dashed_name: process-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.session_leader.pe.imports_names_entropy + flat_name: process.pe.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -57505,11 +13935,11 @@ process.session_leader.pe.imports_names_entropy: original_fieldset: pe short: Shannon entropy calculation from the list of imported element names and types. type: long -process.session_leader.pe.imports_names_var_entropy: - dashed_name: process-session-leader-pe-imports-names-var-entropy +process.pe.imports_names_var_entropy: + dashed_name: process-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.session_leader.pe.imports_names_var_entropy + flat_name: process.pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -57518,11 +13948,11 @@ process.session_leader.pe.imports_names_var_entropy: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long -process.session_leader.pe.original_file_name: - dashed_name: process-session-leader-pe-original-file-name +process.pe.original_file_name: + dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: process.session_leader.pe.original_file_name + flat_name: process.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name @@ -57530,15 +13960,15 @@ process.session_leader.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword -process.session_leader.pe.pehash: - dashed_name: process-session-leader-pe-pehash +process.pe.pehash: + dashed_name: process-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.session_leader.pe.pehash + flat_name: process.pe.pehash ignore_above: 1024 level: extended name: pehash @@ -57546,11 +13976,11 @@ process.session_leader.pe.pehash: original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword -process.session_leader.pe.product: - dashed_name: process-session-leader-pe-product +process.pe.product: + dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. example: Microsoft® Windows® Operating System - flat_name: process.session_leader.pe.product + flat_name: process.pe.product ignore_above: 1024 level: extended name: product @@ -57558,13 +13988,13 @@ process.session_leader.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -process.session_leader.pe.sections: - dashed_name: process-session-leader-pe-sections +process.pe.sections: + dashed_name: process-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' - flat_name: process.session_leader.pe.sections + flat_name: process.pe.sections level: extended name: sections normalize: @@ -57572,10 +14002,10 @@ process.session_leader.pe.sections: original_fieldset: pe short: Section information of the PE file. type: nested -process.session_leader.pe.sections.entropy: - dashed_name: process-session-leader-pe-sections-entropy +process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.session_leader.pe.sections.entropy + flat_name: process.pe.sections.entropy format: number level: extended name: sections.entropy @@ -57583,10 +14013,10 @@ process.session_leader.pe.sections.entropy: original_fieldset: pe short: Shannon entropy calculation from the section. type: long -process.session_leader.pe.sections.name: - dashed_name: process-session-leader-pe-sections-name +process.pe.sections.name: + dashed_name: process-pe-sections-name description: PE Section List name. - flat_name: process.session_leader.pe.sections.name + flat_name: process.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -57594,10 +14024,10 @@ process.session_leader.pe.sections.name: original_fieldset: pe short: PE Section List name. type: keyword -process.session_leader.pe.sections.physical_size: - dashed_name: process-session-leader-pe-sections-physical-size +process.pe.sections.physical_size: + dashed_name: process-pe-sections-physical-size description: PE Section List physical size. - flat_name: process.session_leader.pe.sections.physical_size + flat_name: process.pe.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -57605,10 +14035,10 @@ process.session_leader.pe.sections.physical_size: original_fieldset: pe short: PE Section List physical size. type: long -process.session_leader.pe.sections.var_entropy: - dashed_name: process-session-leader-pe-sections-var-entropy +process.pe.sections.var_entropy: + dashed_name: process-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.pe.sections.var_entropy + flat_name: process.pe.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -57616,10 +14046,10 @@ process.session_leader.pe.sections.var_entropy: original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long -process.session_leader.pe.sections.virtual_size: - dashed_name: process-session-leader-pe-sections-virtual-size +process.pe.sections.virtual_size: + dashed_name: process-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.pe.sections.virtual_size + flat_name: process.pe.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -57627,50 +14057,71 @@ process.session_leader.pe.sections.virtual_size: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long -process.session_leader.pid: - dashed_name: process-session-leader-pid +process.pid: + dashed_name: process-pid description: Process id. example: 4242 - flat_name: process.session_leader.pid + flat_name: process.pid format: string level: core name: pid normalize: [] - original_fieldset: process otel: - relation: match + stability: development short: Process id. type: long -process.session_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as platform - binaries, this value is then set to true. - flat_name: process.session_leader.platform_binary +process.previous.args: + dashed_name: process-previous-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.previous.args + ignore_above: 1024 level: extended - name: platform_binary - normalize: [] + name: args + normalize: + - array original_fieldset: process - short: Indicates whether this process executable is a default platform binary shipped - with the operating system. - type: boolean -process.session_leader.real_group.domain: - dashed_name: process-session-leader-real-group-domain - description: 'Name of the directory the group is a member of. + short: Array of process arguments. + type: keyword +process.previous.args_count: + dashed_name: process-previous-args-count + description: 'Length of the process.args array. - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.real_group.domain + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.previous.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.previous.executable: + dashed_name: process-previous-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.previous.executable ignore_above: 1024 level: extended - name: domain + multi_fields: + - flat_name: process.previous.executable.text + name: text + type: match_only_text + name: executable normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. + original_fieldset: process + short: Absolute path to the process executable. type: keyword -process.session_leader.real_group.id: - dashed_name: process-session-leader-real-group-id +process.real_group.id: + dashed_name: process-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.real_group.id + flat_name: process.real_group.id ignore_above: 1024 level: extended name: id @@ -57678,10 +14129,10 @@ process.session_leader.real_group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.real_group.name: - dashed_name: process-session-leader-real-group-name +process.real_group.name: + dashed_name: process-real-group-name description: Name of the group. - flat_name: process.session_leader.real_group.name + flat_name: process.real_group.name ignore_above: 1024 level: extended name: name @@ -57689,320 +14140,44 @@ process.session_leader.real_group.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.real_user.domain: - dashed_name: process-session-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.real_user.email: - dashed_name: process-session-leader-real-user-email - description: User email address. - flat_name: process.session_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.real_user.entity.id: - dashed_name: process-session-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.real_user.entity.id +process.real_user.id: + dashed_name: process-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.real_user.id ignore_above: 1024 level: core name: id normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. + original_fieldset: user + otel: + - relation: match + stability: development + short: Unique identifier of the user. type: keyword -process.session_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.real_user.entity.name +process.real_user.name: + dashed_name: process-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.real_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.session_leader.real_user.entity.name.text + - flat_name: process.real_user.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.real_user.full_name: - dashed_name: process-session-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.real_user.group.domain: - dashed_name: process-session-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. + otel: + - relation: match + stability: development + short: Short name or login of the user. type: keyword -process.session_leader.real_user.group.id: - dashed_name: process-session-leader-real-user-group-id +process.saved_group.id: + dashed_name: process-saved-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.real_user.group.id + flat_name: process.saved_group.id ignore_above: 1024 level: extended name: id @@ -58010,10 +14185,10 @@ process.session_leader.real_user.group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.real_user.group.name: - dashed_name: process-session-leader-real-user-group-name +process.saved_group.name: + dashed_name: process-saved-group-name description: Name of the group. - flat_name: process.session_leader.real_user.group.name + flat_name: process.saved_group.name ignore_above: 1024 level: extended name: name @@ -58021,190 +14196,129 @@ process.session_leader.real_user.group.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.real_user.hash: - dashed_name: process-session-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.real_user.id: - dashed_name: process-session-leader-real-user-id +process.saved_user.id: + dashed_name: process-saved-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.real_user.id + flat_name: process.saved_user.id ignore_above: 1024 level: core name: id normalize: [] original_fieldset: user + otel: + - relation: match + stability: development short: Unique identifier of the user. type: keyword -process.session_leader.real_user.name: - dashed_name: process-session-leader-real-user-name +process.saved_user.name: + dashed_name: process-saved-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.session_leader.real_user.name + flat_name: process.saved_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.session_leader.real_user.name.text + - flat_name: process.saved_user.name.text name: text type: match_only_text name: name normalize: [] original_fieldset: user + otel: + - relation: match + stability: development short: Short name or login of the user. type: keyword -process.session_leader.real_user.risk.calculated_level: - dashed_name: process-session-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.real_user.risk.calculated_score: - dashed_name: process-session-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.real_user.risk.calculated_score_norm: - dashed_name: process-session-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.real_user.risk.static_level: - dashed_name: process-session-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.real_user.risk.static_score: - dashed_name: process-session-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.real_user.risk.static_score_norm: - dashed_name: process-session-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.real_user.roles: - dashed_name: process-session-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.real_user.roles +process.session_leader.args: + dashed_name: process-session-leader-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.args ignore_above: 1024 level: extended - name: roles + name: args normalize: - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none + original_fieldset: process + short: Array of process arguments. type: keyword -process.session_leader.same_as_process: - dashed_name: process-session-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same as - the top level process. +process.session_leader.args_count: + dashed_name: process-session-leader-args-count + description: 'Length of the process.args array. - For example, if `process.group_leader.same_as_process = true`, it means the process - event in question is the leader of its process group. Details under `process.*` - like `pid` would be the same under `process.group_leader.*` The same applies for - both `process.session_leader` and `process.entry_leader`. + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.session_leader.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.session_leader.command_line: + dashed_name: process-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. - This field exists to the benefit of EQL and other rule engines since it''s not - possible to compare equality between two fields in a single document. e.g `process.entity_id` - = `process.group_leader.entity_id` (top level process is the process group leader) - OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is - the entry session leader) + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.command_line + level: extended + multi_fields: + - flat_name: process.session_leader.command_line.text + name: text + type: match_only_text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.session_leader.entity_id: + dashed_name: process-session-leader-entity-id + description: 'Unique identifier for the process. - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.session_leader.same_as_process + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.entity_id + ignore_above: 1024 level: extended - name: same_as_process + name: entity_id normalize: [] original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the top - level process. - type: boolean -process.session_leader.saved_group.domain: - dashed_name: process-session-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.saved_group.domain + short: Unique identifier for the process. + type: keyword +process.session_leader.executable: + dashed_name: process-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.executable ignore_above: 1024 level: extended - name: domain + multi_fields: + - flat_name: process.session_leader.executable.text + name: text + type: match_only_text + name: executable normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. + original_fieldset: process + short: Absolute path to the process executable. type: keyword -process.session_leader.saved_group.id: - dashed_name: process-session-leader-saved-group-id +process.session_leader.group.id: + dashed_name: process-session-leader-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.saved_group.id + flat_name: process.session_leader.group.id ignore_above: 1024 level: extended name: id @@ -58212,10 +14326,10 @@ process.session_leader.saved_group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.saved_group.name: - dashed_name: process-session-leader-saved-group-name +process.session_leader.group.name: + dashed_name: process-session-leader-group-name description: Name of the group. - flat_name: process.session_leader.saved_group.name + flat_name: process.session_leader.group.name ignore_above: 1024 level: extended name: name @@ -58223,320 +14337,182 @@ process.session_leader.saved_group.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.saved_user.domain: - dashed_name: process-session-leader-saved-user-domain - description: 'Name of the directory the user is a member of. +process.session_leader.interactive: + dashed_name: process-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.saved_user.email: - dashed_name: process-session-leader-saved-user-email - description: User email address. - flat_name: process.session_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.saved_user.entity.behavior + Process interactivity is inferred from the processes file descriptors. If the + character device for the controlling tty is the same as stdin and stderr for the + process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is simply + one that does not have open file descriptors reading the controlling TTY on FD + 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process + is still considered interactive if stdin and stderr are connected to the controlling + TTY.' + example: true + flat_name: process.session_leader.interactive level: extended - name: behavior + name: interactive normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.saved_user.entity.display_name + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean +process.session_leader.name: + dashed_name: process-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.session_leader.saved_user.entity.display_name.text + - flat_name: process.session_leader.name.text name: text type: match_only_text - name: display_name + name: name normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. + original_fieldset: process + short: Process name. type: keyword -process.session_leader.saved_user.entity.id: - dashed_name: process-session-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.saved_user.entity.id +process.session_leader.parent.entity_id: + dashed_name: process-session-leader-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.entity_id ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.saved_user.entity.metrics level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name + name: entity_id normalize: [] - original_fieldset: entity - short: The name of the entity. + original_fieldset: process + short: Unique identifier for the process. type: keyword -process.session_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.saved_user.entity.raw - level: extended - name: raw +process.session_leader.parent.pid: + dashed_name: process-session-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.pid + format: string + level: core + name: pid normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.saved_user.entity.reference + original_fieldset: process + short: Process id. + type: long +process.session_leader.parent.session_leader.entity_id: + dashed_name: process-session-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.session_leader.entity_id ignore_above: 1024 level: extended - name: reference + name: entity_id normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. + original_fieldset: process + short: Unique identifier for the process. type: keyword -process.session_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.saved_user.entity.source - ignore_above: 1024 +process.session_leader.parent.session_leader.pid: + dashed_name: process-session-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.session_leader.pid + format: string level: core - name: source + name: pid normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.saved_user.entity.sub_type - ignore_above: 1024 + original_fieldset: process + short: Process id. + type: long +process.session_leader.parent.session_leader.start: + dashed_name: process-session-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.session_leader.start level: extended - name: sub_type + name: start normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.saved_user.entity.type - ignore_above: 1024 + original_fieldset: process + short: The time the process started. + type: date +process.session_leader.parent.session_leader.vpid: + dashed_name: process-session-leader-parent-session-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.session_leader.parent.session_leader.vpid + format: string level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.saved_user.full_name: - dashed_name: process-session-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.saved_user.full_name - ignore_above: 1024 + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long +process.session_leader.parent.start: + dashed_name: process-session-leader-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.start level: extended - multi_fields: - - flat_name: process.session_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name + name: start normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.saved_user.group.domain: - dashed_name: process-session-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. + original_fieldset: process + short: The time the process started. + type: date +process.session_leader.parent.vpid: + dashed_name: process-session-leader-parent-vpid + description: 'Virtual process id. - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain + The process id within a pid namespace. This is not necessarily unique across all + processes on the host but it is unique within the process namespace that the process + exists within.' + example: 4242 + flat_name: process.session_leader.parent.vpid + format: string + level: core + name: vpid normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.saved_user.group.id: - dashed_name: process-session-leader-saved-user-group-id + original_fieldset: process + short: Virtual process id. + type: long +process.session_leader.pid: + dashed_name: process-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + otel: + - relation: match + stability: development + short: Process id. + type: long +process.session_leader.real_group.id: + dashed_name: process-session-leader-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.saved_user.group.id + flat_name: process.session_leader.real_group.id ignore_above: 1024 level: extended name: id @@ -58544,10 +14520,10 @@ process.session_leader.saved_user.group.id: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword -process.session_leader.saved_user.group.name: - dashed_name: process-session-leader-saved-user-group-name +process.session_leader.real_group.name: + dashed_name: process-session-leader-real-group-name description: Name of the group. - flat_name: process.session_leader.saved_user.group.name + flat_name: process.session_leader.real_group.name ignore_above: 1024 level: extended name: name @@ -58555,26 +14531,11 @@ process.session_leader.saved_user.group.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.saved_user.hash: - dashed_name: process-session-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword -process.session_leader.saved_user.id: - dashed_name: process-session-leader-saved-user-id +process.session_leader.real_user.id: + dashed_name: process-session-leader-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.saved_user.id + flat_name: process.session_leader.real_user.id ignore_above: 1024 level: core name: id @@ -58582,15 +14543,15 @@ process.session_leader.saved_user.id: original_fieldset: user short: Unique identifier of the user. type: keyword -process.session_leader.saved_user.name: - dashed_name: process-session-leader-saved-user-name +process.session_leader.real_user.name: + dashed_name: process-session-leader-real-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.session_leader.saved_user.name + flat_name: process.session_leader.real_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.session_leader.saved_user.name.text + - flat_name: process.session_leader.real_user.name.text name: text type: match_only_text name: name @@ -58598,99 +14559,85 @@ process.session_leader.saved_user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.session_leader.saved_user.risk.calculated_level: - dashed_name: process-session-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.saved_user.risk.calculated_score: - dashed_name: process-session-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-session-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.saved_user.risk.calculated_score_norm +process.session_leader.same_as_process: + dashed_name: process-session-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same as + the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the process + event in question is the leader of its process group. Details under `process.*` + like `pid` would be the same under `process.group_leader.*` The same applies for + both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s not + possible to compare equality between two fields in a single document. e.g `process.entity_id` + = `process.group_leader.entity_id` (top level process is the process group leader) + OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is + the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.session_leader.same_as_process level: extended - name: calculated_score_norm + name: same_as_process normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.saved_user.risk.static_level: - dashed_name: process-session-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.saved_user.risk.static_level + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the top + level process. + type: boolean +process.session_leader.saved_group.id: + dashed_name: process-session-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.saved_group.id ignore_above: 1024 level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.saved_user.risk.static_score: - dashed_name: process-session-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.saved_user.risk.static_score - level: extended - name: static_score + name: id normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.saved_user.risk.static_score_norm: - dashed_name: process-session-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.saved_user.risk.static_score_norm + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +process.session_leader.saved_group.name: + dashed_name: process-session-leader-saved-group-name + description: Name of the group. + flat_name: process.session_leader.saved_group.name + ignore_above: 1024 level: extended - name: static_score_norm + name: name normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.saved_user.roles: - dashed_name: process-session-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.saved_user.roles + original_fieldset: group + short: Name of the group. + type: keyword +process.session_leader.saved_user.id: + dashed_name: process-session-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.saved_user.id ignore_above: 1024 - level: extended - name: roles - normalize: - - array + level: core + name: id + normalize: [] original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none + short: Unique identifier of the user. + type: keyword +process.session_leader.saved_user.name: + dashed_name: process-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. type: keyword process.session_leader.start: dashed_name: process-session-leader-start @@ -58703,19 +14650,6 @@ process.session_leader.start: original_fieldset: process short: The time the process started. type: date -process.session_leader.supplemental_groups.domain: - dashed_name: process-session-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword process.session_leader.supplemental_groups.id: dashed_name: process-session-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -58738,80 +14672,6 @@ process.session_leader.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword -process.session_leader.thread.capabilities.effective: - dashed_name: process-session-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword -process.session_leader.thread.capabilities.permitted: - dashed_name: process-session-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that the - thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword -process.session_leader.thread.id: - dashed_name: process-session-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.session_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long -process.session_leader.thread.name: - dashed_name: process-session-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.session_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword -process.session_leader.title: - dashed_name: process-session-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for - example a browser setting its title to the web page currently opened.' - flat_name: process.session_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword process.session_leader.tty: dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process belongs @@ -58851,392 +14711,6 @@ process.session_leader.tty.char_device.minor: original_fieldset: process short: The TTY character device's minor number. type: long -process.session_leader.tty.columns: - dashed_name: process-session-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.session_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long -process.session_leader.tty.rows: - dashed_name: process-session-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a given - IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.session_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long -process.session_leader.uptime: - dashed_name: process-session-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.session_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long -process.session_leader.user.domain: - dashed_name: process-session-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.session_leader.user.email: - dashed_name: process-session-leader-user-email - description: User email address. - flat_name: process.session_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.session_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.session_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.session_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.session_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.session_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.session_leader.user.entity.id: - dashed_name: process-session-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.session_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.session_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.session_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.session_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.session_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.session_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.session_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.session_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.session_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.session_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.session_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.session_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.session_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.session_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.session_leader.user.full_name: - dashed_name: process-session-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.session_leader.user.group.domain: - dashed_name: process-session-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.session_leader.user.group.id: - dashed_name: process-session-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.session_leader.user.group.name: - dashed_name: process-session-leader-user-group-name - description: Name of the group. - flat_name: process.session_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.session_leader.user.hash: - dashed_name: process-session-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword process.session_leader.user.id: dashed_name: process-session-leader-user-id description: Unique identifier of the user. @@ -59265,100 +14739,6 @@ process.session_leader.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -process.session_leader.user.risk.calculated_level: - dashed_name: process-session-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.session_leader.user.risk.calculated_score: - dashed_name: process-session-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.session_leader.user.risk.calculated_score_norm: - dashed_name: process-session-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.session_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.session_leader.user.risk.static_level: - dashed_name: process-session-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.session_leader.user.risk.static_score: - dashed_name: process-session-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.session_leader.user.risk.static_score_norm: - dashed_name: process-session-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.session_leader.user.roles: - dashed_name: process-session-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.session_leader.vpid: dashed_name: process-session-leader-vpid description: 'Virtual process id. @@ -59401,19 +14781,6 @@ process.start: normalize: [] short: The time the process started. type: date -process.supplemental_groups.domain: - dashed_name: process-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword process.supplemental_groups.id: dashed_name: process-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -59505,6 +14872,7 @@ process.title: normalize: [] otel: - relation: match + stability: development short: Process title. type: keyword process.tty: @@ -59580,355 +14948,9 @@ process.uptime: otel: - metric: process.uptime relation: metric + stability: development short: Seconds the process has been up. type: long -process.user.domain: - dashed_name: process-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword -process.user.email: - dashed_name: process-user-email - description: User email address. - flat_name: process.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword -process.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: process.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -process.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: process.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -process.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -process.user.entity.id: - dashed_name: process-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: process.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -process.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: process.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -process.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -process.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: process.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -process.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: process.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -process.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: process.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -process.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -process.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: process.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -process.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -process.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword -process.user.full_name: - dashed_name: process-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword -process.user.group.domain: - dashed_name: process-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword -process.user.group.id: - dashed_name: process-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword -process.user.group.name: - dashed_name: process-user-group-name - description: Name of the group. - flat_name: process.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword -process.user.hash: - dashed_name: process-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword process.user.id: dashed_name: process-user-id description: Unique identifier of the user. @@ -59941,6 +14963,7 @@ process.user.id: original_fieldset: user otel: - relation: match + stability: development short: Unique identifier of the user. type: keyword process.user.name: @@ -59959,102 +14982,9 @@ process.user.name: original_fieldset: user otel: - relation: match + stability: development short: Short name or login of the user. type: keyword -process.user.risk.calculated_level: - dashed_name: process-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: process.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -process.user.risk.calculated_score: - dashed_name: process-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -process.user.risk.calculated_score_norm: - dashed_name: process-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: process.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -process.user.risk.static_level: - dashed_name: process-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -process.user.risk.static_score: - dashed_name: process-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -process.user.risk.static_score_norm: - dashed_name: process-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float -process.user.roles: - dashed_name: process-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.vpid: dashed_name: process-vpid description: 'Virtual process id. @@ -60070,6 +15000,7 @@ process.vpid: normalize: [] otel: - relation: match + stability: development short: Virtual process id. type: long process.working_directory: @@ -60087,6 +15018,7 @@ process.working_directory: normalize: [] otel: - relation: match + stability: development short: The working directory of the process. type: keyword registry.data.bytes: @@ -60373,6 +15305,7 @@ server.address: normalize: [] otel: - relation: match + stability: stable short: Server network address. type: keyword server.as.number: @@ -60638,6 +15571,7 @@ server.port: normalize: [] otel: - relation: match + stability: stable short: Port of the server. type: long server.registered_domain: @@ -60716,263 +15650,6 @@ server.user.email: original_fieldset: user short: User email address. type: keyword -server.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: server.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -server.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: server.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -server.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: server.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: server.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -server.user.entity.id: - dashed_name: server-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: server.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -server.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: server.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -server.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: server.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -server.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: server.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -server.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: server.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: server.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -server.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: server.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -server.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: server.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -server.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: server.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -server.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: server.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -server.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: server-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: server.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword server.user.full_name: dashed_name: server-user-full-name description: User's full name, if available. @@ -61067,86 +15744,6 @@ server.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -server.user.risk.calculated_level: - dashed_name: server-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: server.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -server.user.risk.calculated_score: - dashed_name: server-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: server.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -server.user.risk.calculated_score_norm: - dashed_name: server-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: server.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -server.user.risk.static_level: - dashed_name: server-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: server.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -server.user.risk.static_score: - dashed_name: server-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: server.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -server.user.risk.static_score_norm: - dashed_name: server-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: server.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -61449,6 +16046,7 @@ service.environment: otel: - attribute: deployment.environment.name relation: equivalent + stability: development short: Environment of the service. type: keyword service.ephemeral_id: @@ -61501,6 +16099,7 @@ service.name: normalize: [] otel: - relation: match + stability: stable short: Name of the service. type: keyword service.node.name: @@ -61526,6 +16125,7 @@ service.node.name: otel: - attribute: service.instance.id relation: equivalent + stability: development short: Name of the service node. type: keyword service.node.role: @@ -62529,6 +17129,7 @@ service.version: normalize: [] otel: - relation: match + stability: stable short: Version of the service. type: keyword source.address: @@ -62546,6 +17147,7 @@ source.address: normalize: [] otel: - relation: match + stability: development short: Source network address. type: keyword source.as.number: @@ -62811,6 +17413,7 @@ source.port: normalize: [] otel: - relation: match + stability: development short: Port of the source. type: long source.registered_domain: @@ -62889,263 +17492,6 @@ source.user.email: original_fieldset: user short: User email address. type: keyword -source.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually boolean - or keyword field data types. Use this field set when you need to track static - or semi-static characteristics of an entity for advanced searching and correlation - of normalized values across different providers/sources and entity types. - flat_name: source.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object -source.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. Usually boolean field data type. Use - this field set when you need to capture and track ephemeral characteristics of - an entity for advanced searching, correlation of normalized values across different - providers/sources and entity types. - flat_name: source.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed behaviors - during a specific time period. - type: object -source.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: source.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: source.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric operations. - type: keyword -source.user.entity.id: - dashed_name: source-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers exist, - this should be the most stable and commonly used identifier that: 1) persists - across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is - commonly used for queries and correlation, and 4) is readily available in most - observations (logs/events). For entities with dedicated field sets (e.g., host, - user), this value should match the corresponding *.id field. Alternative identifiers - (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' - flat_name: source.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword -source.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually based - upon the last event/log that is initiated by this entity. - flat_name: source.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date -source.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: source.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object -source.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These use - dynamic field data type mapping. - flat_name: source.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object -source.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-name - description: The name of the entity. The keyword field enables exact matches for - filtering and aggregations, while the text field enables full-text search. For - entities with dedicated field sets (e.g., `host`), this field should mirrors the - corresponding *.name value. - flat_name: source.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: source.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword -source.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized fields - requiring advanced queries, this field preserves all source metadata with basic - search capabilities. - flat_name: source.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object -source.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: source.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword -source.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-source - description: The module or integration that provided this entity data (similar to - event.module). - flat_name: source.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword -source.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its provider - or system. This field provides more granular classification than the type field. - Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` , - `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: source.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider or - system. - type: keyword -source.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for object - storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, - Azure Blob containers, and other cloud storage services. Buckets are used to - organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes message - brokers, event queues, and other messaging infrastructure components such as - Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate - asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical servers, - virtual machines, cloud instances, and other computing resources that can run - applications or services. Hosts provide the fundamental computing infrastructure - for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can interact - with systems, applications, or services. Users may have various roles, permissions, - and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web applications, - mobile applications, desktop applications, and other software components that - provide functionality to users or other systems. Applications may run on various - infrastructure components and can span multiple hosts or containers. - name: application - - description: Represents a service or microservice component. This includes web - services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate with - other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes user - login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate resources, - entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. This - includes container orchestrators like Kubernetes, Docker Swarm, and other systems - responsible for automating the deployment, management, scaling, and networking - of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: source-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: source.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword source.user.full_name: dashed_name: source-user-full-name description: User's full name, if available. @@ -63240,86 +17586,6 @@ source.user.name: original_fieldset: user short: Short name or login of the user. type: keyword -source.user.risk.calculated_level: - dashed_name: source-user-risk-calculated-level - description: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - example: High - flat_name: source.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part of entity - analytics and entity risk scoring. - type: keyword -source.user.risk.calculated_score: - dashed_name: source-user-risk-calculated-score - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - example: 880.73 - flat_name: source.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring. - type: float -source.user.risk.calculated_score_norm: - dashed_name: source-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of 0 to - 100. - example: 88.73 - flat_name: source.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float -source.user.risk.static_level: - dashed_name: source-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: source.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: keyword -source.user.risk.static_score: - dashed_name: source-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: source.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform. - type: float -source.user.risk.static_score_norm: - dashed_name: source-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: source.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -69019,6 +23285,7 @@ tls.cipher: normalize: [] otel: - relation: match + stability: development short: String indicating the cipher used during the current connection. type: keyword tls.client.certificate: @@ -69034,6 +23301,7 @@ tls.client.certificate: normalize: [] otel: - relation: match + stability: development short: PEM-encoded stand-alone certificate offered by the client. type: keyword tls.client.certificate_chain: @@ -69050,6 +23318,7 @@ tls.client.certificate_chain: - array otel: - relation: match + stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the client. type: keyword @@ -69066,6 +23335,7 @@ tls.client.hash.md5: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -69082,6 +23352,7 @@ tls.client.hash.sha1: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -69098,6 +23369,7 @@ tls.client.hash.sha256: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -69113,6 +23385,7 @@ tls.client.issuer: normalize: [] otel: - relation: match + stability: development short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword @@ -69128,6 +23401,7 @@ tls.client.ja3: normalize: [] otel: - relation: match + stability: development short: A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword tls.client.not_after: @@ -69141,6 +23415,7 @@ tls.client.not_after: normalize: [] otel: - relation: match + stability: development short: Date/Time indicating when client certificate is no longer considered valid. type: date tls.client.not_before: @@ -69153,6 +23428,7 @@ tls.client.not_before: normalize: [] otel: - relation: match + stability: development short: Date/Time indicating when client certificate is first considered valid. type: date tls.client.server_name: @@ -69180,6 +23456,7 @@ tls.client.subject: normalize: [] otel: - relation: match + stability: development short: Distinguished name of subject of the x.509 certificate presented by the client. type: keyword tls.client.supported_ciphers: @@ -69195,6 +23472,7 @@ tls.client.supported_ciphers: - array otel: - relation: match + stability: development short: Array of ciphers offered by the client during the client hello. type: keyword tls.client.x509.alternative_names: @@ -69513,6 +23791,7 @@ tls.curve: normalize: [] otel: - relation: match + stability: development short: String indicating the curve used for the given cipher, when applicable. type: keyword tls.established: @@ -69525,6 +23804,7 @@ tls.established: normalize: [] otel: - relation: match + stability: development short: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean @@ -69541,6 +23821,7 @@ tls.next_protocol: normalize: [] otel: - relation: match + stability: development short: String indicating the protocol being tunneled. type: keyword tls.resumed: @@ -69553,6 +23834,7 @@ tls.resumed: normalize: [] otel: - relation: match + stability: development short: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean @@ -69569,6 +23851,7 @@ tls.server.certificate: normalize: [] otel: - relation: match + stability: development short: PEM-encoded stand-alone certificate offered by the server. type: keyword tls.server.certificate_chain: @@ -69585,6 +23868,7 @@ tls.server.certificate_chain: - array otel: - relation: match + stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the server. type: keyword @@ -69601,6 +23885,7 @@ tls.server.hash.md5: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -69617,6 +23902,7 @@ tls.server.hash.sha1: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -69633,6 +23919,7 @@ tls.server.hash.sha256: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -69647,6 +23934,7 @@ tls.server.issuer: normalize: [] otel: - relation: match + stability: development short: Subject of the issuer of the x.509 certificate presented by the server. type: keyword tls.server.ja3s: @@ -69661,6 +23949,7 @@ tls.server.ja3s: normalize: [] otel: - relation: match + stability: development short: A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword tls.server.not_after: @@ -69674,6 +23963,7 @@ tls.server.not_after: normalize: [] otel: - relation: match + stability: development short: Timestamp indicating when server certificate is no longer considered valid. type: date tls.server.not_before: @@ -69686,6 +23976,7 @@ tls.server.not_before: normalize: [] otel: - relation: match + stability: development short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: @@ -69699,6 +23990,7 @@ tls.server.subject: normalize: [] otel: - relation: match + stability: development short: Subject of the x.509 certificate presented by the server. type: keyword tls.server.x509.alternative_names: @@ -70079,6 +24371,7 @@ url.domain: normalize: [] otel: - relation: match + stability: development short: Domain of the url. type: keyword url.extension: @@ -70101,6 +24394,7 @@ url.extension: normalize: [] otel: - relation: match + stability: development short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: @@ -70115,6 +24409,7 @@ url.fragment: normalize: [] otel: - relation: match + stability: stable short: Portion of the url after the `#`. type: keyword url.full: @@ -70132,6 +24427,7 @@ url.full: normalize: [] otel: - relation: match + stability: stable short: Full unparsed URL. type: wildcard url.original: @@ -70153,6 +24449,7 @@ url.original: normalize: [] otel: - relation: match + stability: development short: Unmodified original url as seen in the event source. type: wildcard url.password: @@ -70174,6 +24471,7 @@ url.path: normalize: [] otel: - relation: match + stability: stable short: Path of the request, such as "/search". type: wildcard url.port: @@ -70187,6 +24485,7 @@ url.port: normalize: [] otel: - relation: match + stability: development short: Port of the request, such as 443. type: long url.query: @@ -70205,6 +24504,7 @@ url.query: normalize: [] otel: - relation: match + stability: stable short: Query string of the request. type: keyword url.registered_domain: @@ -70224,6 +24524,7 @@ url.registered_domain: normalize: [] otel: - relation: match + stability: development short: The highest registered url domain, stripped of the subdomain. type: keyword url.scheme: @@ -70239,6 +24540,7 @@ url.scheme: normalize: [] otel: - relation: match + stability: stable short: Scheme of the url. type: keyword url.subdomain: @@ -70259,6 +24561,7 @@ url.subdomain: normalize: [] otel: - relation: match + stability: development short: The subdomain of the domain. type: keyword url.top_level_domain: @@ -70278,6 +24581,7 @@ url.top_level_domain: normalize: [] otel: - relation: match + stability: development short: The effective top level domain (com, org, net, co.uk). type: keyword url.username: @@ -71250,6 +25554,7 @@ user.email: normalize: [] otel: - relation: match + stability: development short: User email address. type: keyword user.entity.attributes: @@ -71524,6 +25829,7 @@ user.full_name: normalize: [] otel: - relation: match + stability: development short: User's full name, if available. type: keyword user.group.domain: @@ -71575,6 +25881,7 @@ user.hash: normalize: [] otel: - relation: match + stability: development short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: @@ -71588,6 +25895,7 @@ user.id: normalize: [] otel: - relation: match + stability: development short: Unique identifier of the user. type: keyword user.name: @@ -71605,6 +25913,7 @@ user.name: normalize: [] otel: - relation: match + stability: development short: Short name or login of the user. type: keyword user.risk.calculated_level: @@ -71699,6 +26008,7 @@ user.roles: - array otel: - relation: match + stability: development short: Array of user roles at the time of the event. synthetic_source_keep: none type: keyword @@ -72193,6 +26503,7 @@ user_agent.name: normalize: [] otel: - relation: match + stability: development short: Name of the user agent. type: keyword user_agent.original: @@ -72211,6 +26522,7 @@ user_agent.original: normalize: [] otel: - relation: match + stability: stable short: Unparsed user_agent string. type: keyword user_agent.os.family: @@ -72329,6 +26641,7 @@ user_agent.version: normalize: [] otel: - relation: match + stability: development short: Version of the user agent. type: keyword volume.bus_type: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 09c1e23fa2..644f4cd19a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -214,8 +214,10 @@ base: otel: - attribute: k8s.pod.label relation: related + stability: development - attribute: container.label relation: related + stability: development short: Custom key/value pairs. type: object message: @@ -292,6 +294,7 @@ client: normalize: [] otel: - relation: match + stability: stable short: Client network address. type: keyword client.as.number: @@ -559,6 +562,7 @@ client: normalize: [] otel: - relation: match + stability: stable short: Port of the client. type: long client.registered_domain: @@ -637,268 +641,6 @@ client: original_fieldset: user short: User email address. type: keyword - client.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: client.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - client.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: client.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - client.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: client.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: client.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - client.user.entity.id: - dashed_name: client-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: client.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - client.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: client.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - client.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: client.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - client.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: client.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - client.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: client.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: client.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - client.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: client.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - client.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: client.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - client.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: client.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - client.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: client-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: client.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - client.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: client-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: client.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword client.user.full_name: dashed_name: client-user-full-name description: User's full name, if available. @@ -993,86 +735,6 @@ client: original_fieldset: user short: Short name or login of the user. type: keyword - client.user.risk.calculated_level: - dashed_name: client-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: client.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - client.user.risk.calculated_score: - dashed_name: client-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: client.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - client.user.risk.calculated_score_norm: - dashed_name: client-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: client.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - client.user.risk.static_level: - dashed_name: client-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: client.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - client.user.risk.static_score: - dashed_name: client-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: client.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - client.user.risk.static_score_norm: - dashed_name: client-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: client.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -1125,6 +787,7 @@ cloud: normalize: [] otel: - relation: match + stability: development short: The cloud account or organization id. type: keyword cloud.account.name: @@ -1152,6 +815,7 @@ cloud: normalize: [] otel: - relation: match + stability: development short: Availability zone in which this host, resource, or service is located. type: keyword cloud.entity.attributes: @@ -1894,6 +1558,7 @@ cloud: normalize: [] otel: - relation: match + stability: development short: Name of the cloud provider. type: keyword cloud.region: @@ -1907,6 +1572,7 @@ cloud: normalize: [] otel: - relation: match + stability: development short: Region in which this host, resource, or service is located. type: keyword cloud.service.name: @@ -1925,6 +1591,7 @@ cloud: otel: - attribute: cloud.platform relation: equivalent + stability: development short: The cloud service name. type: keyword cloud.target.account.id: @@ -2563,6 +2230,7 @@ container: otel: - metric: container.cpu.usage relation: metric + stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -2596,6 +2264,7 @@ container: normalize: [] otel: - relation: match + stability: development short: Unique container id. type: keyword container.image.hash.all: @@ -2613,6 +2282,7 @@ container: otel: - attribute: container.image.repo_digests relation: equivalent + stability: development short: An array of digests of the image the container was built on. type: keyword container.image.name: @@ -2625,6 +2295,7 @@ container: normalize: [] otel: - relation: match + stability: development short: Name of the image the container was built on. type: keyword container.image.tag: @@ -2639,6 +2310,7 @@ container: otel: - attribute: container.image.tags relation: equivalent + stability: development short: Container image tags. synthetic_source_keep: none type: keyword @@ -2653,6 +2325,7 @@ container: otel: - attribute: container.label relation: related + stability: development short: Image labels. type: object container.memory.usage: @@ -2666,6 +2339,7 @@ container: otel: - metric: container.memory.usage relation: metric + stability: development scaling_factor: 1000 short: Percent memory used, between 0 and 1. type: scaled_float @@ -2679,6 +2353,7 @@ container: normalize: [] otel: - relation: match + stability: development short: Container name. type: keyword container.network.egress.bytes: @@ -2713,6 +2388,7 @@ container: otel: - attribute: container.runtime.name relation: equivalent + stability: development short: Runtime managing this container. type: keyword container.security_context.privileged: @@ -2833,6 +2509,7 @@ destination: normalize: [] otel: - relation: match + stability: development short: Destination network address. type: keyword destination.as.number: @@ -3099,6 +2776,7 @@ destination: normalize: [] otel: - relation: match + stability: development short: Port of the destination. type: long destination.registered_domain: @@ -3177,268 +2855,6 @@ destination: original_fieldset: user short: User email address. type: keyword - destination.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: destination.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - destination.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: destination.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - destination.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: destination.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: destination.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - destination.user.entity.id: - dashed_name: destination-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: destination.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - destination.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: destination.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - destination.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: destination.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - destination.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: destination.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - destination.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: destination.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: destination.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - destination.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: destination.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - destination.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: destination.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - destination.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: destination.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - destination.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: destination.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - destination.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: destination-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: destination.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword destination.user.full_name: dashed_name: destination-user-full-name description: User's full name, if available. @@ -3533,86 +2949,6 @@ destination: original_fieldset: user short: Short name or login of the user. type: keyword - destination.user.risk.calculated_level: - dashed_name: destination-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: destination.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - destination.user.risk.calculated_score: - dashed_name: destination-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: destination.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - destination.user.risk.calculated_score_norm: - dashed_name: destination-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: destination.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - destination.user.risk.static_level: - dashed_name: destination-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: destination.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - destination.user.risk.static_score: - dashed_name: destination-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: destination.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - destination.user.risk.static_score_norm: - dashed_name: destination-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: destination.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -3676,6 +3012,7 @@ device: normalize: [] otel: - relation: match + stability: development short: The unique identifier of a device. type: keyword device.manufacturer: @@ -3689,6 +3026,7 @@ device: normalize: [] otel: - relation: match + stability: development short: The vendor name of the device manufacturer. type: keyword device.model.identifier: @@ -3702,6 +3040,7 @@ device: normalize: [] otel: - relation: match + stability: development short: The machine readable identifier of the device model. type: keyword device.model.name: @@ -3715,6 +3054,7 @@ device: normalize: [] otel: - relation: match + stability: development short: The human readable marketing name of the device model. type: keyword device.product.id: @@ -4478,6 +3818,7 @@ dns: otel: - attribute: dns.answers relation: related + stability: development short: Array of DNS answers. type: object dns.answers.class: @@ -4617,6 +3958,7 @@ dns: normalize: [] otel: - relation: match + stability: development short: The name being queried. type: keyword dns.question.registered_domain: @@ -6118,6 +5460,7 @@ error: otel: - attribute: exception.message relation: equivalent + stability: stable short: Error message. type: match_only_text error.stack_trace: @@ -6134,6 +5477,7 @@ error: otel: - attribute: exception.stacktrace relation: equivalent + stability: stable short: The stack trace of this error in plain text. type: wildcard error.type: @@ -6147,6 +5491,7 @@ error: normalize: [] otel: - relation: match + stability: stable short: The type of the error, for example the class name of the exception. type: keyword group: 2 @@ -7067,6 +6412,7 @@ faas: normalize: [] otel: - relation: match + stability: development short: Boolean value indicating a cold start of a function. type: boolean faas.execution: @@ -7081,6 +6427,7 @@ faas: otel: - attribute: faas.invocation_id relation: equivalent + stability: development short: The execution ID of the current function execution. type: keyword faas.id: @@ -7108,6 +6455,7 @@ faas: normalize: [] otel: - relation: match + stability: development short: The name of a serverless function. type: keyword faas.trigger.request_id: @@ -7139,6 +6487,7 @@ faas: otel: - attribute: faas.trigger relation: equivalent + stability: development short: The trigger for the function execution. type: keyword faas.version: @@ -7152,6 +6501,7 @@ faas: normalize: [] otel: - relation: match + stability: development short: The version of a serverless function. type: keyword group: 2 @@ -7180,6 +6530,7 @@ file: normalize: [] otel: - relation: match + stability: development short: Last time the file was accessed. type: date file.attributes: @@ -7198,6 +6549,7 @@ file: - array otel: - relation: match + stability: development short: Array of file attributes. synthetic_source_keep: none type: keyword @@ -7363,6 +6715,7 @@ file: normalize: [] otel: - relation: match + stability: development short: File creation time. type: date file.ctime: @@ -7378,6 +6731,7 @@ file: otel: - attribute: file.changed relation: equivalent + stability: development short: Last time the file attributes or metadata changed. type: date file.device: @@ -7403,6 +6757,7 @@ file: normalize: [] otel: - relation: match + stability: development short: Directory where the file is located. type: keyword file.drive_letter: @@ -7876,6 +7231,7 @@ file: normalize: [] otel: - relation: match + stability: development short: File extension, excluding the leading dot. type: keyword file.fork_name: @@ -7901,6 +7257,7 @@ file: normalize: [] otel: - relation: match + stability: development short: A fork is additional data associated with a filesystem object. type: keyword file.gid: @@ -7915,6 +7272,7 @@ file: otel: - attribute: file.group.id relation: equivalent + stability: development short: Primary group ID (GID) of the file. type: keyword file.group: @@ -7929,6 +7287,7 @@ file: otel: - attribute: file.group.name relation: equivalent + stability: development short: Primary group name of the file. type: keyword file.hash.cdhash: @@ -8033,6 +7392,7 @@ file: normalize: [] otel: - relation: match + stability: development short: Inode representing the file in the filesystem. type: keyword file.macho.go_import_hash: @@ -8258,6 +7618,7 @@ file: normalize: [] otel: - relation: match + stability: development short: Mode of the file in octal representation. type: keyword file.mtime: @@ -8270,6 +7631,7 @@ file: otel: - attribute: file.modified relation: equivalent + stability: development short: Last time the file content was modified. type: date file.name: @@ -8283,6 +7645,7 @@ file: normalize: [] otel: - relation: match + stability: development short: Name of the file including the extension, without the directory. type: keyword file.origin_referrer_url: @@ -8321,6 +7684,7 @@ file: otel: - attribute: file.owner.name relation: equivalent + stability: development short: File owner's username. type: keyword file.path: @@ -8339,6 +7703,7 @@ file: normalize: [] otel: - relation: match + stability: development short: Full path to the file, including the file name. type: keyword file.pe.architecture: @@ -8640,6 +8005,7 @@ file: normalize: [] otel: - relation: match + stability: development short: File size in bytes. type: long file.target_path: @@ -8657,6 +8023,7 @@ file: otel: - attribute: file.symbolic_link.target_path relation: equivalent + stability: development short: Target path for symlinks. type: keyword file.type: @@ -8682,6 +8049,7 @@ file: otel: - attribute: file.owner.id relation: equivalent + stability: development short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword file.x509.alternative_names: @@ -9052,6 +8420,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Free-form description of the GenAI agent provided by the application. type: keyword gen_ai.agent.id: @@ -9066,6 +8435,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The unique identifier of the GenAI agent. type: keyword gen_ai.agent.name: @@ -9080,6 +8450,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Human-readable name of the GenAI agent provided by the application. type: keyword gen_ai.operation.name: @@ -9094,6 +8465,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The name of the operation being performed. type: keyword gen_ai.output.type: @@ -9108,6 +8480,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Represents the content type requested by the client. type: keyword gen_ai.request.choice.count: @@ -9121,6 +8494,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The target number of candidate completions to return. type: integer gen_ai.request.encoding_formats: @@ -9134,6 +8508,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The encoding formats requested in an embeddings operation, if specified. type: nested gen_ai.request.frequency_penalty: @@ -9147,6 +8522,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The frequency penalty setting for the GenAI request. type: double gen_ai.request.max_tokens: @@ -9160,6 +8536,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The maximum number of tokens the model generates for a request. type: integer gen_ai.request.model: @@ -9174,6 +8551,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The name of the GenAI model a request is being made to. type: keyword gen_ai.request.presence_penalty: @@ -9187,6 +8565,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The presence penalty setting for the GenAI request. type: double gen_ai.request.seed: @@ -9200,6 +8579,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Requests with same seed value more likely to return same result. type: integer gen_ai.request.stop_sequences: @@ -9214,6 +8594,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: List of sequences that the model will use to stop generating further tokens. type: nested @@ -9228,6 +8609,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The temperature setting for the GenAI request. type: double gen_ai.request.top_k: @@ -9241,6 +8623,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The top_k sampling setting for the GenAI request. type: double gen_ai.request.top_p: @@ -9254,6 +8637,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The top_p sampling setting for the GenAI request. type: double gen_ai.response.finish_reasons: @@ -9268,6 +8652,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Array of reasons the model stopped generating tokens, corresponding to each generation received. type: nested @@ -9283,6 +8668,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The unique identifier for the completion. type: keyword gen_ai.response.model: @@ -9297,6 +8683,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The name of the model that generated the response. type: keyword gen_ai.system: @@ -9313,6 +8700,7 @@ gen_ai: otel: - attribute: gen_ai.provider.name relation: equivalent + stability: development short: The Generative AI product as identified by the client or server instrumentation. type: keyword gen_ai.token.type: @@ -9327,6 +8715,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The type of token being counted. type: keyword gen_ai.tool.call.id: @@ -9341,6 +8730,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The tool call identifier. type: keyword gen_ai.tool.name: @@ -9355,6 +8745,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Name of the tool utilized by the agent. type: keyword gen_ai.tool.type: @@ -9369,6 +8760,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: Type of the tool utilized by the agent type: keyword gen_ai.usage.input_tokens: @@ -9382,6 +8774,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The number of tokens used in the GenAI input (prompt). type: integer gen_ai.usage.output_tokens: @@ -9395,6 +8788,7 @@ gen_ai: normalize: [] otel: - relation: match + stability: development short: The number of tokens used in the GenAI response (completion). type: integer group: 2 @@ -9423,6 +8817,7 @@ geo: otel: - attribute: geo.locality.name relation: equivalent + stability: development short: City name. type: keyword geo.continent_code: @@ -9437,6 +8832,7 @@ geo: otel: - attribute: geo.continent.code relation: equivalent + stability: development short: Continent code. type: keyword geo.continent_name: @@ -9462,6 +8858,7 @@ geo: otel: - attribute: geo.country.iso_code relation: equivalent + stability: development short: Country ISO code. type: keyword geo.country_name: @@ -9486,8 +8883,10 @@ geo: otel: - attribute: geo.location.lat relation: related + stability: development - attribute: geo.location.lon relation: related + stability: development short: Longitude and latitude. type: geo_point geo.name: @@ -9521,6 +8920,7 @@ geo: normalize: [] otel: - relation: match + stability: development short: Postal code. type: keyword geo.region_iso_code: @@ -9535,6 +8935,7 @@ geo: otel: - attribute: geo.region.iso_code relation: equivalent + stability: development short: Region ISO code. type: keyword geo.region_name: @@ -9801,6 +9202,7 @@ host: otel: - attribute: host.arch relation: equivalent + stability: development short: Operating system architecture. type: keyword host.boot.id: @@ -9833,6 +9235,7 @@ host: otel: - metric: system.cpu.utilization relation: metric + stability: development scaling_factor: 1000 short: Percent CPU used, between 0 and 1. type: scaled_float @@ -9847,6 +9250,7 @@ host: otel: - metric: system.disk.io relation: metric + stability: development short: The number of bytes read by all disks. type: long host.disk.write.bytes: @@ -9860,6 +9264,7 @@ host: otel: - metric: system.disk.io relation: metric + stability: development short: The number of bytes written on all disks. type: long host.domain: @@ -10305,6 +9710,7 @@ host: normalize: [] otel: - relation: match + stability: development short: Unique host id. type: keyword host.ip: @@ -10317,6 +9723,7 @@ host: - array otel: - relation: match + stability: development short: Host ip addresses. synthetic_source_keep: none type: ip @@ -10337,6 +9744,7 @@ host: - array otel: - relation: match + stability: development pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ short: Host MAC addresses. synthetic_source_keep: none @@ -10355,6 +9763,7 @@ host: normalize: [] otel: - relation: match + stability: development short: Name of the host. type: keyword host.network.egress.bytes: @@ -10368,6 +9777,7 @@ host: otel: - metric: system.network.io relation: metric + stability: development short: The number of bytes sent on all network interfaces. type: long host.network.egress.packets: @@ -10381,6 +9791,7 @@ host: otel: - metric: system.network.packet.count relation: metric + stability: development short: The number of packets sent on all network interfaces. type: long host.network.ingress.bytes: @@ -10394,6 +9805,7 @@ host: otel: - metric: system.network.io relation: metric + stability: development short: The number of bytes received on all network interfaces. type: long host.network.ingress.packets: @@ -10407,6 +9819,7 @@ host: otel: - metric: system.network.packet.count relation: metric + stability: development short: The number of packets received on all network interfaces. type: long host.os.family: @@ -10620,6 +10033,7 @@ host: normalize: [] otel: - relation: match + stability: development short: Type of host. type: keyword host.uptime: @@ -10633,6 +10047,7 @@ host: otel: - metric: system.uptime relation: metric + stability: development short: Seconds the host has been up. type: long group: 2 @@ -10675,6 +10090,7 @@ http: otel: - attribute: http.request.body.size relation: equivalent + stability: development short: Size in bytes of the request body. type: long http.request.body.content: @@ -10703,6 +10119,7 @@ http: otel: - attribute: http.request.size relation: equivalent + stability: development short: Total size in bytes of the request (body and headers). type: long http.request.id: @@ -10735,6 +10152,7 @@ http: otel: - attribute: http.request.method_original relation: equivalent + stability: stable - attribute: http.request.method note: '`http.request.method` in SemConv is the known, normalized, upper case value of the request method, other than the ECS'' `http.request.method` @@ -10742,6 +10160,7 @@ http: ' relation: conflict + stability: stable short: HTTP request method. type: keyword http.request.mime_type: @@ -10783,6 +10202,7 @@ http: otel: - attribute: http.response.body.size relation: equivalent + stability: development short: Size in bytes of the response body. type: long http.response.body.content: @@ -10811,6 +10231,7 @@ http: otel: - attribute: http.response.size relation: equivalent + stability: development short: Total size in bytes of the response (body and headers). type: long http.response.mime_type: @@ -10840,6 +10261,7 @@ http: normalize: [] otel: - relation: match + stability: stable short: HTTP response status code. type: long http.version: @@ -10854,12 +10276,14 @@ http: otel: - attribute: network.protocol.name relation: related + stability: stable - attribute: network.protocol.version note: 'In OTel SemConv, `network.protocol.version` specifies the HTTP version if the value of `network.protocol.name` is `http`. ' relation: related + stability: stable short: HTTP version. type: keyword group: 2 @@ -10949,6 +10373,7 @@ log: normalize: [] otel: - relation: match + stability: development short: Full path to the log file this event came from. type: keyword log.level: @@ -11570,6 +10995,7 @@ network: otel: - attribute: network.protocol.name relation: equivalent + stability: stable short: Application protocol name. type: keyword network.transport: @@ -11586,6 +11012,7 @@ network: normalize: [] otel: - relation: match + stability: stable short: Protocol Name corresponding to the field `iana_number`. type: keyword network.type: @@ -11602,6 +11029,7 @@ network: normalize: [] otel: - relation: match + stability: stable short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc type: keyword @@ -12737,6 +12165,7 @@ os: otel: - attribute: os.description relation: equivalent + stability: development short: Operating system name, including the version or code name. type: keyword os.kernel: @@ -12765,6 +12194,7 @@ os: normalize: [] otel: - relation: match + stability: development short: Operating system name, without the version. type: keyword os.platform: @@ -12804,6 +12234,7 @@ os: note: The expected values in ECS for `os.type` do not correspond with the values defined in semantic conventions! relation: conflict + stability: development short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).' type: keyword @@ -12818,6 +12249,7 @@ os: normalize: [] otel: - relation: match + stability: development short: Operating system version as a raw string. type: keyword group: 2 @@ -13309,6 +12741,7 @@ process: otel: - attribute: process.command_args relation: equivalent + stability: development short: Array of process arguments. type: keyword process.args_count: @@ -13325,517 +12758,9 @@ process: normalize: [] otel: - relation: match + stability: development short: Length of the process.args array. type: long - process.attested_groups.domain: - dashed_name: process-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.attested_groups.id: - dashed_name: process-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.attested_groups.name: - dashed_name: process-attested-groups-name - description: Name of the group. - flat_name: process.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.attested_user.domain: - dashed_name: process-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.attested_user.email: - dashed_name: process-attested-user-email - description: User email address. - flat_name: process.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.attested_user.entity.id: - dashed_name: process-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.attested_user.full_name: - dashed_name: process-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.attested_user.group.domain: - dashed_name: process-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.attested_user.group.id: - dashed_name: process-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.attested_user.group.name: - dashed_name: process-attested-user-group-name - description: Name of the group. - flat_name: process.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.attested_user.hash: - dashed_name: process-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.attested_user.id: - dashed_name: process-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.attested_user.name: - dashed_name: process-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.attested_user.risk.calculated_level: - dashed_name: process-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.attested_user.risk.calculated_score: - dashed_name: process-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.attested_user.risk.calculated_score_norm: - dashed_name: process-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.attested_user.risk.static_level: - dashed_name: process-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.attested_user.risk.static_score: - dashed_name: process-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.attested_user.risk.static_score_norm: - dashed_name: process-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.attested_user.roles: - dashed_name: process-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.code_signature.digest_algorithm: dashed_name: process-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -14004,6 +12929,7 @@ process: normalize: [] otel: - relation: match + stability: development short: Full command line that started the process. type: wildcard process.elf.architecture: @@ -14459,17 +13385,6 @@ process: normalize: [] short: The time the process ended. type: date - process.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -14520,30 +13435,6 @@ process: original_fieldset: process short: Length of the process.args array. type: long - process.entry_leader.attested_groups.domain: - dashed_name: process-entry-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.attested_groups.id: - dashed_name: process-entry-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword process.entry_leader.attested_groups.name: dashed_name: process-entry-leader-attested-groups-name description: Name of the group. @@ -14555,325 +13446,307 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.entry_leader.attested_user.domain: - dashed_name: process-entry-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.attested_user.domain + process.entry_leader.attested_user.id: + dashed_name: process-entry-leader-attested-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.attested_user.id ignore_above: 1024 - level: extended - name: domain + level: core + name: id normalize: [] original_fieldset: user - short: Name of the directory the user is a member of. + short: Unique identifier of the user. type: keyword - process.entry_leader.attested_user.email: - dashed_name: process-entry-leader-attested-user-email - description: User email address. - flat_name: process.entry_leader.attested_user.email + process.entry_leader.attested_user.name: + dashed_name: process-entry-leader-attested-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.attested_user.name ignore_above: 1024 - level: extended - name: email + level: core + multi_fields: + - flat_name: process.entry_leader.attested_user.name.text + name: text + type: match_only_text + name: name normalize: [] original_fieldset: user - short: User email address. + short: Short name or login of the user. type: keyword - process.entry_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.attested_user.entity.attributes + process.entry_leader.command_line: + dashed_name: process-entry-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.entry_leader.command_line level: extended - name: attributes + multi_fields: + - flat_name: process.entry_leader.command_line.text + name: text + type: match_only_text + name: command_line normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.attested_user.entity.behavior + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.entry_leader.entity_id: + dashed_name: process-entry-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.entity_id + ignore_above: 1024 level: extended - name: behavior + name: entity_id normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.attested_user.entity.display_name + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.entry_leader.entry_meta.source.ip: + dashed_name: process-entry-leader-entry-meta-source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: process.entry_leader.entry_meta.source.ip + level: core + name: ip + normalize: [] + original_fieldset: source + short: IP address of the source. + type: ip + process.entry_leader.entry_meta.type: + dashed_name: process-entry-leader-entry-meta-type + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + flat_name: process.entry_leader.entry_meta.type + ignore_above: 1024 + level: extended + name: entry_meta.type + normalize: [] + original_fieldset: process + short: The entry type for the entry session leader. + type: keyword + process.entry_leader.executable: + dashed_name: process-entry-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.entry_leader.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.attested_user.entity.display_name.text + - flat_name: process.entry_leader.executable.text name: text type: match_only_text - name: display_name + name: executable normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. + original_fieldset: process + short: Absolute path to the process executable. type: keyword - process.entry_leader.attested_user.entity.id: - dashed_name: process-entry-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.attested_user.entity.id + process.entry_leader.group.id: + dashed_name: process-entry-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.group.id ignore_above: 1024 - level: core + level: extended name: id normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.attested_user.entity.lifecycle + process.entry_leader.group.name: + dashed_name: process-entry-leader-group-name + description: Name of the group. + flat_name: process.entry_leader.group.name + ignore_above: 1024 level: extended - name: lifecycle + name: name normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.attested_user.entity.metrics + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.interactive: + dashed_name: process-entry-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.entry_leader.interactive level: extended - name: metrics + name: interactive normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.attested_user.entity.name + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.entry_leader.name: + dashed_name: process-entry-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.entry_leader.name ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.entry_leader.attested_user.entity.name.text + - flat_name: process.entry_leader.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: entity - short: The name of the entity. + original_fieldset: process + short: Process name. type: keyword - process.entry_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.attested_user.entity.reference + process.entry_leader.parent.entity_id: + dashed_name: process-entry-leader-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.parent.entity_id ignore_above: 1024 level: extended - name: reference + name: entity_id normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. + original_fieldset: process + short: Unique identifier for the process. type: keyword - process.entry_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.attested_user.entity.source - ignore_above: 1024 + process.entry_leader.parent.pid: + dashed_name: process-entry-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.pid + format: string level: core - name: source + name: pid normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.attested_user.entity.sub_type + original_fieldset: process + short: Process id. + type: long + process.entry_leader.parent.session_leader.entity_id: + dashed_name: process-entry-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.entry_leader.parent.session_leader.entity_id ignore_above: 1024 level: extended - name: sub_type + name: entity_id normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. + original_fieldset: process + short: Unique identifier for the process. type: keyword - process.entry_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.attested_user.entity.type - ignore_above: 1024 + process.entry_leader.parent.session_leader.pid: + dashed_name: process-entry-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.parent.session_leader.pid + format: string level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.attested_user.full_name: - dashed_name: process-entry-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.attested_user.full_name - ignore_above: 1024 + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.entry_leader.parent.session_leader.start: + dashed_name: process-entry-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.session_leader.start level: extended - multi_fields: - - flat_name: process.entry_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name + name: start normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.attested_user.group.domain: - dashed_name: process-entry-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. + original_fieldset: process + short: The time the process started. + type: date + process.entry_leader.parent.session_leader.vpid: + dashed_name: process-entry-leader-parent-session-leader-vpid + description: 'Virtual process id. - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.attested_user.group.domain - ignore_above: 1024 + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.entry_leader.parent.session_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.entry_leader.parent.start: + dashed_name: process-entry-leader-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.parent.start level: extended - name: domain + name: start normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.attested_user.group.id: - dashed_name: process-entry-leader-attested-user-group-id + original_fieldset: process + short: The time the process started. + type: date + process.entry_leader.parent.vpid: + dashed_name: process-entry-leader-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.entry_leader.parent.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.entry_leader.pid: + dashed_name: process-entry-leader-pid + description: Process id. + example: 4242 + flat_name: process.entry_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.entry_leader.real_group.id: + dashed_name: process-entry-leader-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.attested_user.group.id + flat_name: process.entry_leader.real_group.id ignore_above: 1024 level: extended name: id @@ -14881,10 +13754,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.attested_user.group.name: - dashed_name: process-entry-leader-attested-user-group-name + process.entry_leader.real_group.name: + dashed_name: process-entry-leader-real-group-name description: Name of the group. - flat_name: process.entry_leader.attested_user.group.name + flat_name: process.entry_leader.real_group.name ignore_above: 1024 level: extended name: name @@ -14892,26 +13765,11 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.entry_leader.attested_user.hash: - dashed_name: process-entry-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.attested_user.id: - dashed_name: process-entry-leader-attested-user-id + process.entry_leader.real_user.id: + dashed_name: process-entry-leader-real-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.attested_user.id + flat_name: process.entry_leader.real_user.id ignore_above: 1024 level: core name: id @@ -14919,15 +13777,15 @@ process: original_fieldset: user short: Unique identifier of the user. type: keyword - process.entry_leader.attested_user.name: - dashed_name: process-entry-leader-attested-user-name + process.entry_leader.real_user.name: + dashed_name: process-entry-leader-real-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.entry_leader.attested_user.name + flat_name: process.entry_leader.real_user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.entry_leader.attested_user.name.text + - flat_name: process.entry_leader.real_user.name.text name: text type: match_only_text name: name @@ -14935,262 +13793,330 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.entry_leader.attested_user.risk.calculated_level: - dashed_name: process-entry-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.attested_user.risk.calculated_level - ignore_above: 1024 + process.entry_leader.same_as_process: + dashed_name: process-entry-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.entry_leader.same_as_process level: extended - name: calculated_level + name: same_as_process normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.attested_user.risk.calculated_score: - dashed_name: process-entry-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.attested_user.risk.calculated_score + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.entry_leader.saved_group.id: + dashed_name: process-entry-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.saved_group.id + ignore_above: 1024 level: extended - name: calculated_score + name: id normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.attested_user.risk.calculated_score_norm + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.entry_leader.saved_group.name: + dashed_name: process-entry-leader-saved-group-name + description: Name of the group. + flat_name: process.entry_leader.saved_group.name + ignore_above: 1024 level: extended - name: calculated_score_norm + name: name normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.attested_user.risk.static_level: - dashed_name: process-entry-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.attested_user.risk.static_level + original_fieldset: group + short: Name of the group. + type: keyword + process.entry_leader.saved_user.id: + dashed_name: process-entry-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.saved_user.id ignore_above: 1024 - level: extended - name: static_level + level: core + name: id normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. + original_fieldset: user + short: Unique identifier of the user. type: keyword - process.entry_leader.attested_user.risk.static_score: - dashed_name: process-entry-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.attested_user.risk.static_score - level: extended - name: static_score + process.entry_leader.saved_user.name: + dashed_name: process-entry-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.entry_leader.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.attested_user.risk.static_score_norm: - dashed_name: process-entry-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.attested_user.risk.static_score_norm + original_fieldset: user + short: Short name or login of the user. + type: keyword + process.entry_leader.start: + dashed_name: process-entry-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.entry_leader.start level: extended - name: static_score_norm + name: start normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.attested_user.roles: - dashed_name: process-entry-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.attested_user.roles + original_fieldset: process + short: The time the process started. + type: date + process.entry_leader.supplemental_groups.id: + dashed_name: process-entry-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.entry_leader.supplemental_groups.id ignore_above: 1024 level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.code_signature.digest_algorithm: - dashed_name: process-entry-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.entry_leader.code_signature.digest_algorithm + process.entry_leader.supplemental_groups.name: + dashed_name: process-entry-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.entry_leader.supplemental_groups.name ignore_above: 1024 level: extended - name: digest_algorithm + name: name normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. + original_fieldset: group + short: Name of the group. type: keyword - process.entry_leader.code_signature.exists: - dashed_name: process-entry-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.entry_leader.code_signature.exists + process.entry_leader.tty: + dashed_name: process-entry-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.entry_leader.tty + level: extended + name: tty + normalize: [] + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.entry_leader.tty.char_device.major: + dashed_name: process-entry-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.entry_leader.tty.char_device.major + level: extended + name: tty.char_device.major + normalize: [] + original_fieldset: process + short: The TTY character device's major number. + type: long + process.entry_leader.tty.char_device.minor: + dashed_name: process-entry-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.entry_leader.tty.char_device.minor + level: extended + name: tty.char_device.minor + normalize: [] + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.entry_leader.user.id: + dashed_name: process-entry-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.entry_leader.user.id + ignore_above: 1024 level: core - name: exists + name: id normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.entry_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.entry_leader.code_signature.flags + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.entry_leader.user.name: + dashed_name: process-entry-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.entry_leader.user.name ignore_above: 1024 - level: extended - name: flags + level: core + multi_fields: + - flat_name: process.entry_leader.user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process + original_fieldset: user + short: Short name or login of the user. type: keyword - process.entry_leader.code_signature.signing_id: - dashed_name: process-entry-leader-code-signature-signing-id - description: 'The identifier used to sign the process. + process.entry_leader.vpid: + dashed_name: process-entry-leader-vpid + description: 'Virtual process id. - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.entry_leader.code_signature.signing_id + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.entry_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.entry_leader.working_directory: + dashed_name: process-entry-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.entry_leader.working_directory ignore_above: 1024 level: extended - name: signing_id + multi_fields: + - flat_name: process.entry_leader.working_directory.text + name: text + type: match_only_text + name: working_directory normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: process + short: The working directory of the process. type: keyword - process.entry_leader.code_signature.status: - dashed_name: process-entry-leader-code-signature-status - description: 'Additional information about the certificate status. + process.env_vars: + dashed_name: process-env-vars + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.entry_leader.code_signature.status + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + flat_name: process.env_vars ignore_above: 1024 level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + name: env_vars + normalize: + - array + short: Array of environment variable bindings. + synthetic_source_keep: none type: keyword - process.entry_leader.code_signature.subject_name: - dashed_name: process-entry-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.entry_leader.code_signature.subject_name + process.executable: + dashed_name: process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.executable ignore_above: 1024 - level: core - name: subject_name + level: extended + multi_fields: + - flat_name: process.executable.text + name: text + type: match_only_text + name: executable normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + otel: + - attribute: process.executable.path + relation: equivalent + stability: development + short: Absolute path to the process executable. type: keyword - process.entry_leader.code_signature.team_id: - dashed_name: process-entry-leader-code-signature-team-id - description: 'The team identifier used to sign the process. + process.exit_code: + dashed_name: process-exit-code + description: 'The exit code of the process, if this is a termination event. - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.entry_leader.code_signature.team_id - ignore_above: 1024 + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.exit_code level: extended - name: team_id + name: exit_code normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.entry_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.entry_leader.code_signature.thumbprint_sha256 - ignore_above: 64 + short: The exit code of the process. + type: long + process.group.id: + dashed_name: process-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group.id + ignore_above: 1024 level: extended - name: thumbprint_sha256 + name: id normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.code_signature.timestamp: - dashed_name: process-entry-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.entry_leader.code_signature.timestamp + process.group.name: + dashed_name: process-group-name + description: Name of the group. + flat_name: process.group.name + ignore_above: 1024 level: extended - name: timestamp + name: name normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.entry_leader.code_signature.trusted: - dashed_name: process-entry-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.args: + dashed_name: process-group-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.entry_leader.code_signature.trusted + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.group_leader.args + ignore_above: 1024 level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.entry_leader.code_signature.valid: - dashed_name: process-entry-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.group_leader.args_count: + dashed_name: process-group-leader-args-count + description: 'Length of the process.args array. - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.entry_leader.code_signature.valid + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.group_leader.args_count level: extended - name: valid + name: args_count normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.entry_leader.command_line: - dashed_name: process-entry-leader-command-line + original_fieldset: process + short: Length of the process.args array. + type: long + process.group_leader.command_line: + dashed_name: process-group-leader-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.command_line + flat_name: process.group_leader.command_line level: extended multi_fields: - - flat_name: process.entry_leader.command_line.text + - flat_name: process.group_leader.command_line.text name: text type: match_only_text name: command_line @@ -15198,1025 +14124,473 @@ process: original_fieldset: process short: Full command line that started the process. type: wildcard - process.entry_leader.elf.architecture: - dashed_name: process-entry-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.entry_leader.elf.architecture + process.group_leader.entity_id: + dashed_name: process-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.group_leader.entity_id ignore_above: 1024 level: extended - name: architecture + name: entity_id normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: process + short: Unique identifier for the process. type: keyword - process.entry_leader.elf.byte_order: - dashed_name: process-entry-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.entry_leader.elf.byte_order + process.group_leader.executable: + dashed_name: process-group-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.group_leader.executable ignore_above: 1024 level: extended - name: byte_order + multi_fields: + - flat_name: process.group_leader.executable.text + name: text + type: match_only_text + name: executable normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: process + short: Absolute path to the process executable. type: keyword - process.entry_leader.elf.cpu_type: - dashed_name: process-entry-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.entry_leader.elf.cpu_type + process.group_leader.group.id: + dashed_name: process-group-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.group.id ignore_above: 1024 level: extended - name: cpu_type + name: id normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.elf.creation_date: - dashed_name: process-entry-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.entry_leader.elf.creation_date + process.group_leader.group.name: + dashed_name: process-group-leader-group-name + description: Name of the group. + flat_name: process.group_leader.group.name + ignore_above: 1024 level: extended - name: creation_date + name: name normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.entry_leader.elf.exports: - dashed_name: process-entry-leader-elf-exports - description: List of exported element names and types. - flat_name: process.entry_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.entry_leader.elf.go_import_hash: - dashed_name: process-entry-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.interactive: + dashed_name: process-group-leader-interactive + description: 'Whether the process is connected to an interactive shell. - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.elf.go_import_hash - ignore_above: 1024 + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.group_leader.interactive level: extended - name: go_import_hash + name: interactive normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.entry_leader.elf.go_imports: - dashed_name: process-entry-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.entry_leader.elf.go_imports_names_entropy: - dashed_name: process-entry-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.elf.go_imports_names_entropy - format: number + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.group_leader.name: + dashed_name: process-group-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.group_leader.name + ignore_above: 1024 level: extended - name: go_imports_names_entropy + multi_fields: + - flat_name: process.group_leader.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.elf.go_imports_names_var_entropy: - dashed_name: process-entry-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy + original_fieldset: process + short: Process name. + type: keyword + process.group_leader.pid: + dashed_name: process-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.group_leader.pid + format: string + level: core + name: pid normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. + original_fieldset: process + otel: + - relation: match + stability: development + short: Process id. type: long - process.entry_leader.elf.go_stripped: - dashed_name: process-entry-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.elf.go_stripped + process.group_leader.real_group.id: + dashed_name: process-group-leader-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.real_group.id + ignore_above: 1024 level: extended - name: go_stripped + name: id normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.entry_leader.elf.header.abi_version: - dashed_name: process-entry-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.entry_leader.elf.header.abi_version + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.group_leader.real_group.name: + dashed_name: process-group-leader-real-group-name + description: Name of the group. + flat_name: process.group_leader.real_group.name ignore_above: 1024 level: extended - name: header.abi_version + name: name normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: group + short: Name of the group. type: keyword - process.entry_leader.elf.header.class: - dashed_name: process-entry-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.entry_leader.elf.header.class + process.group_leader.real_user.id: + dashed_name: process-group-leader-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.real_user.id ignore_above: 1024 - level: extended - name: header.class + level: core + name: id normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: user + short: Unique identifier of the user. type: keyword - process.entry_leader.elf.header.data: - dashed_name: process-entry-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.entry_leader.elf.header.data + process.group_leader.real_user.name: + dashed_name: process-group-leader-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.real_user.name ignore_above: 1024 - level: extended - name: header.data + level: core + multi_fields: + - flat_name: process.group_leader.real_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: user + short: Short name or login of the user. type: keyword - process.entry_leader.elf.header.entrypoint: - dashed_name: process-entry-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.entry_leader.elf.header.entrypoint - format: string + process.group_leader.same_as_process: + dashed_name: process-group-leader-same-as-process + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + flat_name: process.group_leader.same_as_process level: extended - name: header.entrypoint + name: same_as_process normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.entry_leader.elf.header.object_version: - dashed_name: process-entry-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.entry_leader.elf.header.object_version + original_fieldset: process + short: This boolean is used to identify if a leader process is the same as the + top level process. + type: boolean + process.group_leader.saved_group.id: + dashed_name: process-group-leader-saved-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.saved_group.id ignore_above: 1024 level: extended - name: header.object_version + name: id normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.elf.header.os_abi: - dashed_name: process-entry-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.entry_leader.elf.header.os_abi + process.group_leader.saved_group.name: + dashed_name: process-group-leader-saved-group-name + description: Name of the group. + flat_name: process.group_leader.saved_group.name ignore_above: 1024 level: extended - name: header.os_abi + name: name normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: group + short: Name of the group. type: keyword - process.entry_leader.elf.header.type: - dashed_name: process-entry-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.entry_leader.elf.header.type + process.group_leader.saved_user.id: + dashed_name: process-group-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.saved_user.id ignore_above: 1024 - level: extended - name: header.type + level: core + name: id normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: user + short: Unique identifier of the user. type: keyword - process.entry_leader.elf.header.version: - dashed_name: process-entry-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.entry_leader.elf.header.version + process.group_leader.saved_user.name: + dashed_name: process-group-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.saved_user.name ignore_above: 1024 - level: extended - name: header.version + level: core + multi_fields: + - flat_name: process.group_leader.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: user + short: Short name or login of the user. type: keyword - process.entry_leader.elf.import_hash: - dashed_name: process-entry-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.elf.import_hash + process.group_leader.start: + dashed_name: process-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.group_leader.supplemental_groups.id: + dashed_name: process-group-leader-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.group_leader.supplemental_groups.id ignore_above: 1024 level: extended - name: import_hash + name: id normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.elf.imports: - dashed_name: process-entry-leader-elf-imports - description: List of imported element names and types. - flat_name: process.entry_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.entry_leader.elf.imports_names_entropy: - dashed_name: process-entry-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.elf.imports_names_entropy - format: number + process.group_leader.supplemental_groups.name: + dashed_name: process-group-leader-supplemental-groups-name + description: Name of the group. + flat_name: process.group_leader.supplemental_groups.name + ignore_above: 1024 level: extended - name: imports_names_entropy + name: name normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.entry_leader.elf.imports_names_var_entropy: - dashed_name: process-entry-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.elf.imports_names_var_entropy - format: number + original_fieldset: group + short: Name of the group. + type: keyword + process.group_leader.tty: + dashed_name: process-group-leader-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.group_leader.tty level: extended - name: imports_names_var_entropy + name: tty normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.entry_leader.elf.sections: - dashed_name: process-entry-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.entry_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.entry_leader.elf.sections.chi2: - dashed_name: process-entry-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.entry_leader.elf.sections.chi2 - format: number + original_fieldset: process + short: Information about the controlling TTY device. + type: object + process.group_leader.tty.char_device.major: + dashed_name: process-group-leader-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.group_leader.tty.char_device.major level: extended - name: sections.chi2 + name: tty.char_device.major normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. + original_fieldset: process + short: The TTY character device's major number. type: long - process.entry_leader.elf.sections.entropy: - dashed_name: process-entry-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.elf.sections.entropy - format: number + process.group_leader.tty.char_device.minor: + dashed_name: process-group-leader-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.group_leader.tty.char_device.minor level: extended - name: sections.entropy + name: tty.char_device.minor normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. + original_fieldset: process + short: The TTY character device's minor number. type: long - process.entry_leader.elf.sections.flags: - dashed_name: process-entry-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.entry_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.entry_leader.elf.sections.name: - dashed_name: process-entry-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.entry_leader.elf.sections.name + process.group_leader.user.id: + dashed_name: process-group-leader-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.group_leader.user.id ignore_above: 1024 - level: extended - name: sections.name + level: core + name: id normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: user + short: Unique identifier of the user. type: keyword - process.entry_leader.elf.sections.physical_offset: - dashed_name: process-entry-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.entry_leader.elf.sections.physical_offset + process.group_leader.user.name: + dashed_name: process-group-leader-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.group_leader.user.name ignore_above: 1024 - level: extended - name: sections.physical_offset + level: core + multi_fields: + - flat_name: process.group_leader.user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: user + short: Short name or login of the user. type: keyword - process.entry_leader.elf.sections.physical_size: - dashed_name: process-entry-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.entry_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size + process.group_leader.vpid: + dashed_name: process-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.group_leader.vpid + format: string + level: core + name: vpid normalize: [] - original_fieldset: elf - short: ELF Section List physical size. + original_fieldset: process + short: Virtual process id. type: long - process.entry_leader.elf.sections.type: - dashed_name: process-entry-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.entry_leader.elf.sections.type + process.group_leader.working_directory: + dashed_name: process-group-leader-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.group_leader.working_directory ignore_above: 1024 level: extended - name: sections.type + multi_fields: + - flat_name: process.group_leader.working_directory.text + name: text + type: match_only_text + name: working_directory normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: process + short: The working directory of the process. type: keyword - process.entry_leader.elf.sections.var_entropy: - dashed_name: process-entry-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.entry_leader.elf.sections.virtual_address: - dashed_name: process-entry-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.entry_leader.elf.sections.virtual_address - format: string + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 level: extended - name: sections.virtual_address + name: cdhash normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.entry_leader.elf.sections.virtual_size: - dashed_name: process-entry-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.entry_leader.elf.sections.virtual_size - format: string + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword + process.hash.md5: + dashed_name: process-hash-md5 + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 level: extended - name: sections.virtual_size + name: md5 normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.entry_leader.elf.segments: - dashed_name: process-entry-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.entry_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.entry_leader.elf.segments.sections: - dashed_name: process-entry-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.entry_leader.elf.segments.sections + original_fieldset: hash + short: MD5 hash. + type: keyword + process.hash.sha1: + dashed_name: process-hash-sha1 + description: SHA1 hash. + flat_name: process.hash.sha1 ignore_above: 1024 level: extended - name: segments.sections + name: sha1 normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: hash + short: SHA1 hash. type: keyword - process.entry_leader.elf.segments.type: - dashed_name: process-entry-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.entry_leader.elf.segments.type + process.hash.sha256: + dashed_name: process-hash-sha256 + description: SHA256 hash. + flat_name: process.hash.sha256 ignore_above: 1024 level: extended - name: segments.type + name: sha256 normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: hash + short: SHA256 hash. type: keyword - process.entry_leader.elf.shared_libraries: - dashed_name: process-entry-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.entry_leader.elf.shared_libraries + process.hash.sha384: + dashed_name: process-hash-sha384 + description: SHA384 hash. + flat_name: process.hash.sha384 ignore_above: 1024 level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + name: sha384 + normalize: [] + original_fieldset: hash + short: SHA384 hash. type: keyword - process.entry_leader.elf.telfhash: - dashed_name: process-entry-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.entry_leader.elf.telfhash + process.hash.sha512: + dashed_name: process-hash-sha512 + description: SHA512 hash. + flat_name: process.hash.sha512 ignore_above: 1024 level: extended - name: telfhash + name: sha512 normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: hash + short: SHA512 hash. type: keyword - process.entry_leader.end: - dashed_name: process-entry-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.end + process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 level: extended - name: end + name: ssdeep normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.entry_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.entry_leader.endpoint_security_client + original_fieldset: hash + short: SSDEEP hash. + type: keyword + process.hash.tlsh: + dashed_name: process-hash-tlsh + description: TLSH hash. + flat_name: process.hash.tlsh + ignore_above: 1024 level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.entry_leader.entity_id: - dashed_name: process-entry-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.entry_leader.entry_meta.source.address: - dashed_name: process-entry-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.entry_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.entry_leader.entry_meta.source.as.number: - dashed_name: process-entry-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.entry_leader.entry_meta.source.as.organization.name: - dashed_name: process-entry-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.entry_leader.entry_meta.source.bytes: - dashed_name: process-entry-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.entry_leader.entry_meta.source.domain: - dashed_name: process-entry-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.entry_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.entry_leader.entry_meta.source.geo.city_name: - dashed_name: process-entry-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.entry_leader.entry_meta.source.geo.continent_code: - dashed_name: process-entry-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.entry_leader.entry_meta.source.geo.continent_name: - dashed_name: process-entry-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.entry_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.entry_leader.entry_meta.source.geo.country_name: - dashed_name: process-entry-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.entry_leader.entry_meta.source.geo.location: - dashed_name: process-entry-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.entry_leader.entry_meta.source.geo.name: - dashed_name: process-entry-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.entry_leader.entry_meta.source.geo.postal_code: - dashed_name: process-entry-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.entry_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.entry_leader.entry_meta.source.geo.region_name: - dashed_name: process-entry-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.entry_leader.entry_meta.source.geo.timezone: - dashed_name: process-entry-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.entry_leader.entry_meta.source.ip: - dashed_name: process-entry-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.entry_leader.entry_meta.source.mac: - dashed_name: process-entry-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.entry_leader.entry_meta.source.nat.ip: - dashed_name: process-entry-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.entry_leader.entry_meta.source.nat.port: - dashed_name: process-entry-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.entry_leader.entry_meta.source.packets: - dashed_name: process-entry-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.entry_leader.entry_meta.source.port: - dashed_name: process-entry-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.entry_leader.entry_meta.source.registered_domain: - dashed_name: process-entry-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.entry_leader.entry_meta.source.subdomain: - dashed_name: process-entry-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.entry_leader.entry_meta.source.top_level_domain: - dashed_name: process-entry-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.entry_leader.entry_meta.type: - dashed_name: process-entry-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.entry_leader.env_vars: - dashed_name: process-entry-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.entry_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.entry_leader.executable: - dashed_name: process-entry-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.entry_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.entry_leader.exit_code: - dashed_name: process-entry-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.entry_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.entry_leader.group.domain: - dashed_name: process-entry-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.group.id: - dashed_name: process-entry-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.group.name: - dashed_name: process-entry-leader-group-name - description: Name of the group. - flat_name: process.entry_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.entry_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.entry_leader.hash.md5: - dashed_name: process-entry-leader-hash-md5 - description: MD5 hash. - flat_name: process.entry_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.entry_leader.hash.sha1: - dashed_name: process-entry-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.entry_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.entry_leader.hash.sha256: - dashed_name: process-entry-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.entry_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.entry_leader.hash.sha384: - dashed_name: process-entry-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.entry_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.entry_leader.hash.sha512: - dashed_name: process-entry-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.entry_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.entry_leader.hash.ssdeep: - dashed_name: process-entry-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.entry_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.entry_leader.hash.tlsh: - dashed_name: process-entry-leader-hash-tlsh - description: TLSH hash. - flat_name: process.entry_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh + name: tlsh normalize: [] original_fieldset: hash short: TLSH hash. type: keyword - process.entry_leader.interactive: - dashed_name: process-entry-leader-interactive + process.interactive: + dashed_name: process-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If @@ -16229,75 +14603,72 @@ process: backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true - flat_name: process.entry_leader.interactive + flat_name: process.interactive level: extended name: interactive normalize: [] - original_fieldset: process + otel: + - relation: match + stability: development short: Whether the process is connected to an interactive shell. type: boolean - process.entry_leader.io: - dashed_name: process-entry-leader-io + process.io: + dashed_name: process-io description: 'A chunk of input or output (IO) from a single process. This field only appears on the top level process object, which is the process that wrote the output or read the input.' - flat_name: process.entry_leader.io + flat_name: process.io level: extended name: io normalize: [] - original_fieldset: process short: A chunk of input or output (IO) from a single process. type: object - process.entry_leader.io.bytes_skipped: - dashed_name: process-entry-leader-io-bytes-skipped + process.io.bytes_skipped: + dashed_name: process-io-bytes-skipped description: An array of byte offsets and lengths denoting where IO data has been skipped. - flat_name: process.entry_leader.io.bytes_skipped + flat_name: process.io.bytes_skipped level: extended name: io.bytes_skipped normalize: - array - original_fieldset: process short: An array of byte offsets and lengths denoting where IO data has been skipped. type: object - process.entry_leader.io.bytes_skipped.length: - dashed_name: process-entry-leader-io-bytes-skipped-length + process.io.bytes_skipped.length: + dashed_name: process-io-bytes-skipped-length description: The length of bytes skipped. - flat_name: process.entry_leader.io.bytes_skipped.length + flat_name: process.io.bytes_skipped.length level: extended name: io.bytes_skipped.length normalize: [] - original_fieldset: process short: The length of bytes skipped. type: long - process.entry_leader.io.bytes_skipped.offset: - dashed_name: process-entry-leader-io-bytes-skipped-offset + process.io.bytes_skipped.offset: + dashed_name: process-io-bytes-skipped-offset description: The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. - flat_name: process.entry_leader.io.bytes_skipped.offset + flat_name: process.io.bytes_skipped.offset level: extended name: io.bytes_skipped.offset normalize: [] - original_fieldset: process short: The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. type: long - process.entry_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded + process.io.max_bytes_per_process_exceeded: + dashed_name: process-io-max-bytes-per-process-exceeded description: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. - flat_name: process.entry_leader.io.max_bytes_per_process_exceeded + flat_name: process.io.max_bytes_per_process_exceeded level: extended name: io.max_bytes_per_process_exceeded normalize: [] - original_fieldset: process short: If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting. type: boolean - process.entry_leader.io.text: - dashed_name: process-entry-leader-io-text + process.io.text: + dashed_name: process-io-text description: 'A chunk of output or input sanitized to UTF-8. Best efforts are made to ensure complete lines are captured in these events. @@ -16305,53 +14676,49 @@ process: event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.' - flat_name: process.entry_leader.io.text + flat_name: process.io.text level: extended name: io.text normalize: [] - original_fieldset: process short: A chunk of output or input sanitized to UTF-8. type: wildcard - process.entry_leader.io.total_bytes_captured: - dashed_name: process-entry-leader-io-total-bytes-captured + process.io.total_bytes_captured: + dashed_name: process-io-total-bytes-captured description: The total number of bytes captured in this event. - flat_name: process.entry_leader.io.total_bytes_captured + flat_name: process.io.total_bytes_captured level: extended name: io.total_bytes_captured normalize: [] - original_fieldset: process short: The total number of bytes captured in this event. type: long - process.entry_leader.io.total_bytes_skipped: - dashed_name: process-entry-leader-io-total-bytes-skipped + process.io.total_bytes_skipped: + dashed_name: process-io-total-bytes-skipped description: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero - flat_name: process.entry_leader.io.total_bytes_skipped + flat_name: process.io.total_bytes_skipped level: extended name: io.total_bytes_skipped normalize: [] - original_fieldset: process short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. type: long - process.entry_leader.io.type: - dashed_name: process-entry-leader-io-type + process.io.type: + dashed_name: process-io-type description: 'The type of object on which the IO action (read or write) was taken. Currently only ''tty'' is supported. Other types may be added in the future for ''file'' and ''socket'' support.' - flat_name: process.entry_leader.io.type + flat_name: process.io.type ignore_above: 1024 level: extended name: io.type normalize: [] - original_fieldset: process short: The type of object on which the IO action (read or write) was taken. type: keyword - process.entry_leader.macho.go_import_hash: - dashed_name: process-entry-leader-macho-go-import-hash + process.macho.go_import_hash: + dashed_name: process-macho-go-import-hash description: 'A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -16360,7 +14727,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.macho.go_import_hash + flat_name: process.macho.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -16368,20 +14735,20 @@ process: original_fieldset: macho short: A hash of the Go language imports in a Mach-O file. type: keyword - process.entry_leader.macho.go_imports: - dashed_name: process-entry-leader-macho-go-imports + process.macho.go_imports: + dashed_name: process-macho-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.macho.go_imports + flat_name: process.macho.go_imports level: extended name: go_imports normalize: [] original_fieldset: macho short: List of imported Go language element names and types. type: flattened - process.entry_leader.macho.go_imports_names_entropy: - dashed_name: process-entry-leader-macho-go-imports-names-entropy + process.macho.go_imports_names_entropy: + dashed_name: process-macho-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.macho.go_imports_names_entropy + flat_name: process.macho.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -16389,10 +14756,10 @@ process: original_fieldset: macho short: Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.macho.go_imports_names_var_entropy: - dashed_name: process-entry-leader-macho-go-imports-names-var-entropy + process.macho.go_imports_names_var_entropy: + dashed_name: process-macho-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.macho.go_imports_names_var_entropy + flat_name: process.macho.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -16400,26 +14767,26 @@ process: original_fieldset: macho short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.macho.go_stripped: - dashed_name: process-entry-leader-macho-go-stripped + process.macho.go_stripped: + dashed_name: process-macho-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.macho.go_stripped + flat_name: process.macho.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: macho short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.entry_leader.macho.import_hash: - dashed_name: process-entry-leader-macho-import-hash + process.macho.import_hash: + dashed_name: process-macho-import-hash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.macho.import_hash + flat_name: process.macho.import_hash ignore_above: 1024 level: extended name: import_hash @@ -16427,10 +14794,10 @@ process: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword - process.entry_leader.macho.imports: - dashed_name: process-entry-leader-macho-imports + process.macho.imports: + dashed_name: process-macho-imports description: List of imported element names and types. - flat_name: process.entry_leader.macho.imports + flat_name: process.macho.imports level: extended name: imports normalize: @@ -16438,11 +14805,11 @@ process: original_fieldset: macho short: List of imported element names and types. type: flattened - process.entry_leader.macho.imports_names_entropy: - dashed_name: process-entry-leader-macho-imports-names-entropy + process.macho.imports_names_entropy: + dashed_name: process-macho-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.macho.imports_names_entropy + flat_name: process.macho.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -16451,11 +14818,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.macho.imports_names_var_entropy: - dashed_name: process-entry-leader-macho-imports-names-var-entropy + process.macho.imports_names_var_entropy: + dashed_name: process-macho-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.macho.imports_names_var_entropy + flat_name: process.macho.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -16464,13 +14831,13 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.macho.sections: - dashed_name: process-entry-leader-macho-sections + process.macho.sections: + dashed_name: process-macho-sections description: 'An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.' - flat_name: process.entry_leader.macho.sections + flat_name: process.macho.sections level: extended name: sections normalize: @@ -16478,10 +14845,10 @@ process: original_fieldset: macho short: Section information of the Mach-O file. type: nested - process.entry_leader.macho.sections.entropy: - dashed_name: process-entry-leader-macho-sections-entropy + process.macho.sections.entropy: + dashed_name: process-macho-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.macho.sections.entropy + flat_name: process.macho.sections.entropy format: number level: extended name: sections.entropy @@ -16489,10 +14856,10 @@ process: original_fieldset: macho short: Shannon entropy calculation from the section. type: long - process.entry_leader.macho.sections.name: - dashed_name: process-entry-leader-macho-sections-name + process.macho.sections.name: + dashed_name: process-macho-sections-name description: Mach-O Section List name. - flat_name: process.entry_leader.macho.sections.name + flat_name: process.macho.sections.name ignore_above: 1024 level: extended name: sections.name @@ -16500,10 +14867,10 @@ process: original_fieldset: macho short: Mach-O Section List name. type: keyword - process.entry_leader.macho.sections.physical_size: - dashed_name: process-entry-leader-macho-sections-physical-size + process.macho.sections.physical_size: + dashed_name: process-macho-sections-physical-size description: Mach-O Section List physical size. - flat_name: process.entry_leader.macho.sections.physical_size + flat_name: process.macho.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -16511,10 +14878,10 @@ process: original_fieldset: macho short: Mach-O Section List physical size. type: long - process.entry_leader.macho.sections.var_entropy: - dashed_name: process-entry-leader-macho-sections-var-entropy + process.macho.sections.var_entropy: + dashed_name: process-macho-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.macho.sections.var_entropy + flat_name: process.macho.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -16522,10 +14889,10 @@ process: original_fieldset: macho short: Variance for Shannon entropy calculation from the section. type: long - process.entry_leader.macho.sections.virtual_size: - dashed_name: process-entry-leader-macho-sections-virtual-size + process.macho.sections.virtual_size: + dashed_name: process-macho-sections-virtual-size description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.macho.sections.virtual_size + flat_name: process.macho.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -16533,15 +14900,15 @@ process: original_fieldset: macho short: Mach-O Section List virtual size. This is always the same as `physical_size`. type: long - process.entry_leader.macho.symhash: - dashed_name: process-entry-leader-macho-symhash + process.macho.symhash: + dashed_name: process-macho-symhash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash' example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.entry_leader.macho.symhash + flat_name: process.macho.symhash ignore_above: 1024 level: extended name: symhash @@ -16549,59 +14916,31 @@ process: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword - process.entry_leader.name: - dashed_name: process-entry-leader-name + process.name: + dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh - flat_name: process.entry_leader.name + flat_name: process.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.name.text + - flat_name: process.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: process short: Process name. type: keyword - process.entry_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.entry_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.entry_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.entry_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.entry_leader.parent.args: - dashed_name: process-entry-leader-parent-args + process.parent.args: + dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.' example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.entry_leader.parent.args + flat_name: process.parent.args ignore_above: 1024 level: extended name: args @@ -16610,538 +14949,29 @@ process: original_fieldset: process short: Array of process arguments. type: keyword - process.entry_leader.parent.args_count: - dashed_name: process-entry-leader-parent-args-count + process.parent.args_count: + dashed_name: process-parent-args-count description: 'Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.' example: 4 - flat_name: process.entry_leader.parent.args_count + flat_name: process.parent.args_count level: extended name: args_count normalize: [] original_fieldset: process short: Length of the process.args array. type: long - process.entry_leader.parent.attested_groups.domain: - dashed_name: process-entry-leader-parent-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.attested_groups.id: - dashed_name: process-entry-leader-parent-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.attested_groups.name: - dashed_name: process-entry-leader-parent-attested-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.attested_user.domain: - dashed_name: process-entry-leader-parent-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.attested_user.email: - dashed_name: process-entry-leader-parent-attested-user-email - description: User email address. - flat_name: process.entry_leader.parent.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.attested_user.entity.id: - dashed_name: process-entry-leader-parent-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.attested_user.full_name: - dashed_name: process-entry-leader-parent-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.attested_user.group.domain: - dashed_name: process-entry-leader-parent-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.attested_user.group.id: - dashed_name: process-entry-leader-parent-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.attested_user.group.name: - dashed_name: process-entry-leader-parent-attested-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.attested_user.hash: - dashed_name: process-entry-leader-parent-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.attested_user.id: - dashed_name: process-entry-leader-parent-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.attested_user.name: - dashed_name: process-entry-leader-parent-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.attested_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.attested_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.attested_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.attested_user.risk.static_level: - dashed_name: process-entry-leader-parent-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.attested_user.risk.static_score: - dashed_name: process-entry-leader-parent-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.attested_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.attested_user.roles: - dashed_name: process-entry-leader-parent-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.code_signature.digest_algorithm: - dashed_name: process-entry-leader-parent-code-signature-digest-algorithm + process.parent.code_signature.digest_algorithm: + dashed_name: process-parent-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.' example: sha256 - flat_name: process.entry_leader.parent.code_signature.digest_algorithm + flat_name: process.parent.code_signature.digest_algorithm ignore_above: 1024 level: extended name: digest_algorithm @@ -17149,23 +14979,23 @@ process: original_fieldset: code_signature short: Hashing algorithm used to sign the process. type: keyword - process.entry_leader.parent.code_signature.exists: - dashed_name: process-entry-leader-parent-code-signature-exists + process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: process.entry_leader.parent.code_signature.exists + flat_name: process.parent.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean - process.entry_leader.parent.code_signature.flags: + process.parent.code_signature.flags: beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-code-signature-flags + dashed_name: process-parent-code-signature-flags description: The flags used to sign the process. example: 570522385 - flat_name: process.entry_leader.parent.code_signature.flags + flat_name: process.parent.code_signature.flags ignore_above: 1024 level: extended name: flags @@ -17173,14 +15003,14 @@ process: original_fieldset: code_signature short: Code signing flags of the process type: keyword - process.entry_leader.parent.code_signature.signing_id: - dashed_name: process-entry-leader-parent-code-signature-signing-id + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: process.entry_leader.parent.code_signature.signing_id + flat_name: process.parent.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -17188,15 +15018,15 @@ process: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword - process.entry_leader.parent.code_signature.status: - dashed_name: process-entry-leader-parent-code-signature-status + process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: process.entry_leader.parent.code_signature.status + flat_name: process.parent.code_signature.status ignore_above: 1024 level: extended name: status @@ -17204,11 +15034,11 @@ process: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword - process.entry_leader.parent.code_signature.subject_name: - dashed_name: process-entry-leader-parent-code-signature-subject-name + process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: process.entry_leader.parent.code_signature.subject_name + flat_name: process.parent.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -17216,14 +15046,14 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword - process.entry_leader.parent.code_signature.team_id: - dashed_name: process-entry-leader-parent-code-signature-team-id + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: process.entry_leader.parent.code_signature.team_id + flat_name: process.parent.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -17231,12 +15061,12 @@ process: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword - process.entry_leader.parent.code_signature.thumbprint_sha256: + process.parent.code_signature.thumbprint_sha256: beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256 + dashed_name: process-parent-code-signature-thumbprint-sha256 description: Certificate SHA256 hash that uniquely identifies the code signer. example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256 + flat_name: process.parent.code_signature.thumbprint_sha256 ignore_above: 64 level: extended name: thumbprint_sha256 @@ -17245,39 +15075,39 @@ process: pattern: ^[0-9a-f]{64}$ short: SHA256 hash of the certificate. type: keyword - process.entry_leader.parent.code_signature.timestamp: - dashed_name: process-entry-leader-parent-code-signature-timestamp + process.parent.code_signature.timestamp: + dashed_name: process-parent-code-signature-timestamp description: Date and time when the code signature was generated and signed. example: '2021-01-01T12:10:30Z' - flat_name: process.entry_leader.parent.code_signature.timestamp + flat_name: process.parent.code_signature.timestamp level: extended name: timestamp normalize: [] original_fieldset: code_signature short: When the signature was generated and signed. type: date - process.entry_leader.parent.code_signature.trusted: - dashed_name: process-entry-leader-parent-code-signature-trusted + process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: process.entry_leader.parent.code_signature.trusted + flat_name: process.parent.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean - process.entry_leader.parent.code_signature.valid: - dashed_name: process-entry-leader-parent-code-signature-valid + process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: process.entry_leader.parent.code_signature.valid + flat_name: process.parent.code_signature.valid level: extended name: valid normalize: [] @@ -17285,17 +15115,17 @@ process: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean - process.entry_leader.parent.command_line: - dashed_name: process-entry-leader-parent-command-line + process.parent.command_line: + dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.parent.command_line + flat_name: process.parent.command_line level: extended multi_fields: - - flat_name: process.entry_leader.parent.command_line.text + - flat_name: process.parent.command_line.text name: text type: match_only_text name: command_line @@ -17303,11 +15133,11 @@ process: original_fieldset: process short: Full command line that started the process. type: wildcard - process.entry_leader.parent.elf.architecture: - dashed_name: process-entry-leader-parent-elf-architecture + process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: process.entry_leader.parent.elf.architecture + flat_name: process.parent.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -17315,11 +15145,11 @@ process: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword - process.entry_leader.parent.elf.byte_order: - dashed_name: process-entry-leader-parent-elf-byte-order + process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: process.entry_leader.parent.elf.byte_order + flat_name: process.parent.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -17327,11 +15157,11 @@ process: original_fieldset: elf short: Byte sequence of ELF file. type: keyword - process.entry_leader.parent.elf.cpu_type: - dashed_name: process-entry-leader-parent-elf-cpu-type + process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: process.entry_leader.parent.elf.cpu_type + flat_name: process.parent.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -17339,21 +15169,21 @@ process: original_fieldset: elf short: CPU type of the ELF file. type: keyword - process.entry_leader.parent.elf.creation_date: - dashed_name: process-entry-leader-parent-elf-creation-date + process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: process.entry_leader.parent.elf.creation_date + flat_name: process.parent.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date - process.entry_leader.parent.elf.exports: - dashed_name: process-entry-leader-parent-elf-exports + process.parent.elf.exports: + dashed_name: process-parent-elf-exports description: List of exported element names and types. - flat_name: process.entry_leader.parent.elf.exports + flat_name: process.parent.elf.exports level: extended name: exports normalize: @@ -17361,8 +15191,8 @@ process: original_fieldset: elf short: List of exported element names and types. type: flattened - process.entry_leader.parent.elf.go_import_hash: - dashed_name: process-entry-leader-parent-elf-go-import-hash + process.parent.elf.go_import_hash: + dashed_name: process-parent-elf-go-import-hash description: 'A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -17371,7 +15201,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.elf.go_import_hash + flat_name: process.parent.elf.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -17379,20 +15209,20 @@ process: original_fieldset: elf short: A hash of the Go language imports in an ELF file. type: keyword - process.entry_leader.parent.elf.go_imports: - dashed_name: process-entry-leader-parent-elf-go-imports + process.parent.elf.go_imports: + dashed_name: process-parent-elf-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.elf.go_imports + flat_name: process.parent.elf.go_imports level: extended name: go_imports normalize: [] original_fieldset: elf short: List of imported Go language element names and types. type: flattened - process.entry_leader.parent.elf.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy + process.parent.elf.go_imports_names_entropy: + dashed_name: process-parent-elf-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.elf.go_imports_names_entropy + flat_name: process.parent.elf.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -17400,10 +15230,10 @@ process: original_fieldset: elf short: Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.parent.elf.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy + process.parent.elf.go_imports_names_var_entropy: + dashed_name: process-parent-elf-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy + flat_name: process.parent.elf.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -17411,21 +15241,21 @@ process: original_fieldset: elf short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.parent.elf.go_stripped: - dashed_name: process-entry-leader-parent-elf-go-stripped + process.parent.elf.go_stripped: + dashed_name: process-parent-elf-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.elf.go_stripped + flat_name: process.parent.elf.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: elf short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.entry_leader.parent.elf.header.abi_version: - dashed_name: process-entry-leader-parent-elf-header-abi-version + process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.entry_leader.parent.elf.header.abi_version + flat_name: process.parent.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -17433,10 +15263,10 @@ process: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword - process.entry_leader.parent.elf.header.class: - dashed_name: process-entry-leader-parent-elf-header-class + process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class description: Header class of the ELF file. - flat_name: process.entry_leader.parent.elf.header.class + flat_name: process.parent.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -17444,10 +15274,10 @@ process: original_fieldset: elf short: Header class of the ELF file. type: keyword - process.entry_leader.parent.elf.header.data: - dashed_name: process-entry-leader-parent-elf-header-data + process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data description: Data table of the ELF header. - flat_name: process.entry_leader.parent.elf.header.data + flat_name: process.parent.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -17455,10 +15285,10 @@ process: original_fieldset: elf short: Data table of the ELF header. type: keyword - process.entry_leader.parent.elf.header.entrypoint: - dashed_name: process-entry-leader-parent-elf-header-entrypoint + process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: process.entry_leader.parent.elf.header.entrypoint + flat_name: process.parent.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -17466,10 +15296,10 @@ process: original_fieldset: elf short: Header entrypoint of the ELF file. type: long - process.entry_leader.parent.elf.header.object_version: - dashed_name: process-entry-leader-parent-elf-header-object-version + process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: process.entry_leader.parent.elf.header.object_version + flat_name: process.parent.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -17477,10 +15307,10 @@ process: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword - process.entry_leader.parent.elf.header.os_abi: - dashed_name: process-entry-leader-parent-elf-header-os-abi + process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.entry_leader.parent.elf.header.os_abi + flat_name: process.parent.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -17488,10 +15318,10 @@ process: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword - process.entry_leader.parent.elf.header.type: - dashed_name: process-entry-leader-parent-elf-header-type + process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type description: Header type of the ELF file. - flat_name: process.entry_leader.parent.elf.header.type + flat_name: process.parent.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -17499,10 +15329,10 @@ process: original_fieldset: elf short: Header type of the ELF file. type: keyword - process.entry_leader.parent.elf.header.version: - dashed_name: process-entry-leader-parent-elf-header-version + process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version description: Version of the ELF header. - flat_name: process.entry_leader.parent.elf.header.version + flat_name: process.parent.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -17510,15 +15340,15 @@ process: original_fieldset: elf short: Version of the ELF header. type: keyword - process.entry_leader.parent.elf.import_hash: - dashed_name: process-entry-leader-parent-elf-import-hash + process.parent.elf.import_hash: + dashed_name: process-parent-elf-import-hash description: 'A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.elf.import_hash + flat_name: process.parent.elf.import_hash ignore_above: 1024 level: extended name: import_hash @@ -17526,10 +15356,10 @@ process: original_fieldset: elf short: A hash of the imports in an ELF file. type: keyword - process.entry_leader.parent.elf.imports: - dashed_name: process-entry-leader-parent-elf-imports + process.parent.elf.imports: + dashed_name: process-parent-elf-imports description: List of imported element names and types. - flat_name: process.entry_leader.parent.elf.imports + flat_name: process.parent.elf.imports level: extended name: imports normalize: @@ -17537,11 +15367,11 @@ process: original_fieldset: elf short: List of imported element names and types. type: flattened - process.entry_leader.parent.elf.imports_names_entropy: - dashed_name: process-entry-leader-parent-elf-imports-names-entropy + process.parent.elf.imports_names_entropy: + dashed_name: process-parent-elf-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.elf.imports_names_entropy + flat_name: process.parent.elf.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -17550,11 +15380,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.parent.elf.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy + process.parent.elf.imports_names_var_entropy: + dashed_name: process-parent-elf-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.elf.imports_names_var_entropy + flat_name: process.parent.elf.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -17563,13 +15393,13 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.parent.elf.sections: - dashed_name: process-entry-leader-parent-elf-sections + process.parent.elf.sections: + dashed_name: process-parent-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: process.entry_leader.parent.elf.sections + flat_name: process.parent.elf.sections level: extended name: sections normalize: @@ -17577,10 +15407,10 @@ process: original_fieldset: elf short: Section information of the ELF file. type: nested - process.entry_leader.parent.elf.sections.chi2: - dashed_name: process-entry-leader-parent-elf-sections-chi2 + process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: process.entry_leader.parent.elf.sections.chi2 + flat_name: process.parent.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -17588,10 +15418,10 @@ process: original_fieldset: elf short: Chi-square probability distribution of the section. type: long - process.entry_leader.parent.elf.sections.entropy: - dashed_name: process-entry-leader-parent-elf-sections-entropy + process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.elf.sections.entropy + flat_name: process.parent.elf.sections.entropy format: number level: extended name: sections.entropy @@ -17599,10 +15429,10 @@ process: original_fieldset: elf short: Shannon entropy calculation from the section. type: long - process.entry_leader.parent.elf.sections.flags: - dashed_name: process-entry-leader-parent-elf-sections-flags + process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags description: ELF Section List flags. - flat_name: process.entry_leader.parent.elf.sections.flags + flat_name: process.parent.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -17610,10 +15440,10 @@ process: original_fieldset: elf short: ELF Section List flags. type: keyword - process.entry_leader.parent.elf.sections.name: - dashed_name: process-entry-leader-parent-elf-sections-name + process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name description: ELF Section List name. - flat_name: process.entry_leader.parent.elf.sections.name + flat_name: process.parent.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -17621,10 +15451,10 @@ process: original_fieldset: elf short: ELF Section List name. type: keyword - process.entry_leader.parent.elf.sections.physical_offset: - dashed_name: process-entry-leader-parent-elf-sections-physical-offset + process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset description: ELF Section List offset. - flat_name: process.entry_leader.parent.elf.sections.physical_offset + flat_name: process.parent.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -17632,10 +15462,10 @@ process: original_fieldset: elf short: ELF Section List offset. type: keyword - process.entry_leader.parent.elf.sections.physical_size: - dashed_name: process-entry-leader-parent-elf-sections-physical-size + process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size description: ELF Section List physical size. - flat_name: process.entry_leader.parent.elf.sections.physical_size + flat_name: process.parent.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -17643,10 +15473,10 @@ process: original_fieldset: elf short: ELF Section List physical size. type: long - process.entry_leader.parent.elf.sections.type: - dashed_name: process-entry-leader-parent-elf-sections-type + process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type description: ELF Section List type. - flat_name: process.entry_leader.parent.elf.sections.type + flat_name: process.parent.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -17654,10 +15484,10 @@ process: original_fieldset: elf short: ELF Section List type. type: keyword - process.entry_leader.parent.elf.sections.var_entropy: - dashed_name: process-entry-leader-parent-elf-sections-var-entropy + process.parent.elf.sections.var_entropy: + dashed_name: process-parent-elf-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.elf.sections.var_entropy + flat_name: process.parent.elf.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -17665,10 +15495,10 @@ process: original_fieldset: elf short: Variance for Shannon entropy calculation from the section. type: long - process.entry_leader.parent.elf.sections.virtual_address: - dashed_name: process-entry-leader-parent-elf-sections-virtual-address + process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: process.entry_leader.parent.elf.sections.virtual_address + flat_name: process.parent.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -17676,10 +15506,10 @@ process: original_fieldset: elf short: ELF Section List virtual address. type: long - process.entry_leader.parent.elf.sections.virtual_size: - dashed_name: process-entry-leader-parent-elf-sections-virtual-size + process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: process.entry_leader.parent.elf.sections.virtual_size + flat_name: process.parent.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -17687,13 +15517,13 @@ process: original_fieldset: elf short: ELF Section List virtual size. type: long - process.entry_leader.parent.elf.segments: - dashed_name: process-entry-leader-parent-elf-segments + process.parent.elf.segments: + dashed_name: process-parent-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: process.entry_leader.parent.elf.segments + flat_name: process.parent.elf.segments level: extended name: segments normalize: @@ -17701,10 +15531,10 @@ process: original_fieldset: elf short: ELF object segment list. type: nested - process.entry_leader.parent.elf.segments.sections: - dashed_name: process-entry-leader-parent-elf-segments-sections + process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections description: ELF object segment sections. - flat_name: process.entry_leader.parent.elf.segments.sections + flat_name: process.parent.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -17712,10 +15542,10 @@ process: original_fieldset: elf short: ELF object segment sections. type: keyword - process.entry_leader.parent.elf.segments.type: - dashed_name: process-entry-leader-parent-elf-segments-type + process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type description: ELF object segment type. - flat_name: process.entry_leader.parent.elf.segments.type + flat_name: process.parent.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -17723,10 +15553,10 @@ process: original_fieldset: elf short: ELF object segment type. type: keyword - process.entry_leader.parent.elf.shared_libraries: - dashed_name: process-entry-leader-parent-elf-shared-libraries + process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: process.entry_leader.parent.elf.shared_libraries + flat_name: process.parent.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -17735,10 +15565,10 @@ process: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword - process.entry_leader.parent.elf.telfhash: - dashed_name: process-entry-leader-parent-elf-telfhash + process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: process.entry_leader.parent.elf.telfhash + flat_name: process.parent.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -17746,31 +15576,19 @@ process: original_fieldset: elf short: telfhash hash for ELF file. type: keyword - process.entry_leader.parent.end: - dashed_name: process-entry-leader-parent-end + process.parent.end: + dashed_name: process-parent-end description: The time the process ended. example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.end + flat_name: process.parent.end level: extended name: end normalize: [] original_fieldset: process short: The time the process ended. type: date - process.entry_leader.parent.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.entry_leader.parent.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.entry_leader.parent.entity_id: - dashed_name: process-entry-leader-parent-entity-id + process.parent.entity_id: + dashed_name: process-parent-entity-id description: 'Unique identifier for the process. The implementation of this is specified by the data source, but some examples @@ -17781,7 +15599,7 @@ process: PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' example: c2c455d9f99375d - flat_name: process.entry_leader.parent.entity_id + flat_name: process.parent.entity_id ignore_above: 1024 level: extended name: entity_id @@ -17789,390 +15607,15 @@ process: original_fieldset: process short: Unique identifier for the process. type: keyword - process.entry_leader.parent.entry_meta.source.address: - dashed_name: process-entry-leader-parent-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.entry_leader.parent.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.entry_leader.parent.entry_meta.source.as.number: - dashed_name: process-entry-leader-parent-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_leader.parent.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.entry_leader.parent.entry_meta.source.as.organization.name: - dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.entry_leader.parent.entry_meta.source.bytes: - dashed_name: process-entry-leader-parent-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_leader.parent.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.entry_leader.parent.entry_meta.source.domain: - dashed_name: process-entry-leader-parent-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.entry_leader.parent.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.city_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.continent_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.continent_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.country_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.location: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_leader.parent.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.entry_leader.parent.entry_meta.source.geo.name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_leader.parent.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.postal_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.region_name: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.entry_leader.parent.entry_meta.source.geo.timezone: - dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.entry_leader.parent.entry_meta.source.ip: - dashed_name: process-entry-leader-parent-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.parent.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.entry_leader.parent.entry_meta.source.mac: - dashed_name: process-entry-leader-parent-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_leader.parent.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.entry_leader.parent.entry_meta.source.nat.ip: - dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.entry_leader.parent.entry_meta.source.nat.port: - dashed_name: process-entry-leader-parent-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.entry_leader.parent.entry_meta.source.packets: - dashed_name: process-entry-leader-parent-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_leader.parent.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.entry_leader.parent.entry_meta.source.port: - dashed_name: process-entry-leader-parent-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_leader.parent.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.entry_leader.parent.entry_meta.source.registered_domain: - dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_leader.parent.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.entry_leader.parent.entry_meta.source.subdomain: - dashed_name: process-entry-leader-parent-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_leader.parent.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.entry_leader.parent.entry_meta.source.top_level_domain: - dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.entry_leader.parent.entry_meta.type: - dashed_name: process-entry-leader-parent-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.parent.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.entry_leader.parent.env_vars: - dashed_name: process-entry-leader-parent-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.entry_leader.parent.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.executable: - dashed_name: process-entry-leader-parent-executable + process.parent.executable: + dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh - flat_name: process.entry_leader.parent.executable + flat_name: process.parent.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.parent.executable.text + - flat_name: process.parent.executable.text name: text type: match_only_text name: executable @@ -18180,37 +15623,24 @@ process: original_fieldset: process short: Absolute path to the process executable. type: keyword - process.entry_leader.parent.exit_code: - dashed_name: process-entry-leader-parent-exit-code + process.parent.exit_code: + dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start).' example: 137 - flat_name: process.entry_leader.parent.exit_code + flat_name: process.parent.exit_code level: extended name: exit_code normalize: [] original_fieldset: process short: The exit code of the process. type: long - process.entry_leader.parent.group.domain: - dashed_name: process-entry-leader-parent-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.group.id: - dashed_name: process-entry-leader-parent-group-id + process.parent.group.id: + dashed_name: process-parent-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.group.id + flat_name: process.parent.group.id ignore_above: 1024 level: extended name: id @@ -18218,10 +15648,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.parent.group.name: - dashed_name: process-entry-leader-parent-group-name + process.parent.group.name: + dashed_name: process-parent-group-name description: Name of the group. - flat_name: process.entry_leader.parent.group.name + flat_name: process.parent.group.name ignore_above: 1024 level: extended name: name @@ -18229,13 +15659,72 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.entry_leader.parent.hash.cdhash: + process.parent.group_leader.entity_id: + dashed_name: process-parent-group-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.parent.group_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.parent.group_leader.pid: + dashed_name: process-parent-group-leader-pid + description: Process id. + example: 4242 + flat_name: process.parent.group_leader.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.parent.group_leader.start: + dashed_name: process-parent-group-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.group_leader.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.parent.group_leader.vpid: + dashed_name: process-parent-group-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.parent.group_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.parent.hash.cdhash: beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-hash-cdhash + dashed_name: process-parent-hash-cdhash description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.entry_leader.parent.hash.cdhash + flat_name: process.parent.hash.cdhash ignore_above: 1024 level: extended name: cdhash @@ -18243,10 +15732,10 @@ process: original_fieldset: hash short: The Code Directory (CD) hash of an executable. type: keyword - process.entry_leader.parent.hash.md5: - dashed_name: process-entry-leader-parent-hash-md5 + process.parent.hash.md5: + dashed_name: process-parent-hash-md5 description: MD5 hash. - flat_name: process.entry_leader.parent.hash.md5 + flat_name: process.parent.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -18254,10 +15743,10 @@ process: original_fieldset: hash short: MD5 hash. type: keyword - process.entry_leader.parent.hash.sha1: - dashed_name: process-entry-leader-parent-hash-sha1 + process.parent.hash.sha1: + dashed_name: process-parent-hash-sha1 description: SHA1 hash. - flat_name: process.entry_leader.parent.hash.sha1 + flat_name: process.parent.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -18265,10 +15754,10 @@ process: original_fieldset: hash short: SHA1 hash. type: keyword - process.entry_leader.parent.hash.sha256: - dashed_name: process-entry-leader-parent-hash-sha256 + process.parent.hash.sha256: + dashed_name: process-parent-hash-sha256 description: SHA256 hash. - flat_name: process.entry_leader.parent.hash.sha256 + flat_name: process.parent.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -18276,10 +15765,10 @@ process: original_fieldset: hash short: SHA256 hash. type: keyword - process.entry_leader.parent.hash.sha384: - dashed_name: process-entry-leader-parent-hash-sha384 + process.parent.hash.sha384: + dashed_name: process-parent-hash-sha384 description: SHA384 hash. - flat_name: process.entry_leader.parent.hash.sha384 + flat_name: process.parent.hash.sha384 ignore_above: 1024 level: extended name: sha384 @@ -18287,10 +15776,10 @@ process: original_fieldset: hash short: SHA384 hash. type: keyword - process.entry_leader.parent.hash.sha512: - dashed_name: process-entry-leader-parent-hash-sha512 + process.parent.hash.sha512: + dashed_name: process-parent-hash-sha512 description: SHA512 hash. - flat_name: process.entry_leader.parent.hash.sha512 + flat_name: process.parent.hash.sha512 ignore_above: 1024 level: extended name: sha512 @@ -18298,10 +15787,10 @@ process: original_fieldset: hash short: SHA512 hash. type: keyword - process.entry_leader.parent.hash.ssdeep: - dashed_name: process-entry-leader-parent-hash-ssdeep + process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep description: SSDEEP hash. - flat_name: process.entry_leader.parent.hash.ssdeep + flat_name: process.parent.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep @@ -18309,10 +15798,10 @@ process: original_fieldset: hash short: SSDEEP hash. type: keyword - process.entry_leader.parent.hash.tlsh: - dashed_name: process-entry-leader-parent-hash-tlsh + process.parent.hash.tlsh: + dashed_name: process-parent-hash-tlsh description: TLSH hash. - flat_name: process.entry_leader.parent.hash.tlsh + flat_name: process.parent.hash.tlsh ignore_above: 1024 level: extended name: tlsh @@ -18320,8 +15809,8 @@ process: original_fieldset: hash short: TLSH hash. type: keyword - process.entry_leader.parent.interactive: - dashed_name: process-entry-leader-parent-interactive + process.parent.interactive: + dashed_name: process-parent-interactive description: 'Whether the process is connected to an interactive shell. Process interactivity is inferred from the processes file descriptors. If @@ -18334,129 +15823,15 @@ process: backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.' example: true - flat_name: process.entry_leader.parent.interactive + flat_name: process.parent.interactive level: extended name: interactive normalize: [] original_fieldset: process short: Whether the process is connected to an interactive shell. type: boolean - process.entry_leader.parent.io: - dashed_name: process-entry-leader-parent-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.entry_leader.parent.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.entry_leader.parent.io.bytes_skipped: - dashed_name: process-entry-leader-parent-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.entry_leader.parent.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.entry_leader.parent.io.bytes_skipped.length: - dashed_name: process-entry-leader-parent-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.entry_leader.parent.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.entry_leader.parent.io.bytes_skipped.offset: - dashed_name: process-entry-leader-parent-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.entry_leader.parent.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.entry_leader.parent.io.max_bytes_per_process_exceeded: - dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.entry_leader.parent.io.text: - dashed_name: process-entry-leader-parent-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.entry_leader.parent.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.entry_leader.parent.io.total_bytes_captured: - dashed_name: process-entry-leader-parent-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.entry_leader.parent.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.entry_leader.parent.io.total_bytes_skipped: - dashed_name: process-entry-leader-parent-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.entry_leader.parent.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.entry_leader.parent.io.type: - dashed_name: process-entry-leader-parent-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.entry_leader.parent.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.entry_leader.parent.macho.go_import_hash: - dashed_name: process-entry-leader-parent-macho-go-import-hash + process.parent.macho.go_import_hash: + dashed_name: process-parent-macho-go-import-hash description: 'A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -18465,7 +15840,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.macho.go_import_hash + flat_name: process.parent.macho.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -18473,20 +15848,20 @@ process: original_fieldset: macho short: A hash of the Go language imports in a Mach-O file. type: keyword - process.entry_leader.parent.macho.go_imports: - dashed_name: process-entry-leader-parent-macho-go-imports + process.parent.macho.go_imports: + dashed_name: process-parent-macho-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.macho.go_imports + flat_name: process.parent.macho.go_imports level: extended name: go_imports normalize: [] original_fieldset: macho short: List of imported Go language element names and types. type: flattened - process.entry_leader.parent.macho.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy + process.parent.macho.go_imports_names_entropy: + dashed_name: process-parent-macho-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.macho.go_imports_names_entropy + flat_name: process.parent.macho.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -18494,10 +15869,10 @@ process: original_fieldset: macho short: Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.parent.macho.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy + process.parent.macho.go_imports_names_var_entropy: + dashed_name: process-parent-macho-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy + flat_name: process.parent.macho.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -18505,26 +15880,26 @@ process: original_fieldset: macho short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.parent.macho.go_stripped: - dashed_name: process-entry-leader-parent-macho-go-stripped + process.parent.macho.go_stripped: + dashed_name: process-parent-macho-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.macho.go_stripped + flat_name: process.parent.macho.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: macho short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.entry_leader.parent.macho.import_hash: - dashed_name: process-entry-leader-parent-macho-import-hash + process.parent.macho.import_hash: + dashed_name: process-parent-macho-import-hash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for symhash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.macho.import_hash + flat_name: process.parent.macho.import_hash ignore_above: 1024 level: extended name: import_hash @@ -18532,10 +15907,10 @@ process: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword - process.entry_leader.parent.macho.imports: - dashed_name: process-entry-leader-parent-macho-imports + process.parent.macho.imports: + dashed_name: process-parent-macho-imports description: List of imported element names and types. - flat_name: process.entry_leader.parent.macho.imports + flat_name: process.parent.macho.imports level: extended name: imports normalize: @@ -18543,11 +15918,11 @@ process: original_fieldset: macho short: List of imported element names and types. type: flattened - process.entry_leader.parent.macho.imports_names_entropy: - dashed_name: process-entry-leader-parent-macho-imports-names-entropy + process.parent.macho.imports_names_entropy: + dashed_name: process-parent-macho-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.macho.imports_names_entropy + flat_name: process.parent.macho.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -18556,11 +15931,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.parent.macho.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy + process.parent.macho.imports_names_var_entropy: + dashed_name: process-parent-macho-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.macho.imports_names_var_entropy + flat_name: process.parent.macho.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -18569,13 +15944,13 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.parent.macho.sections: - dashed_name: process-entry-leader-parent-macho-sections + process.parent.macho.sections: + dashed_name: process-parent-macho-sections description: 'An array containing an object for each section of the Mach-O file. The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`.' - flat_name: process.entry_leader.parent.macho.sections + flat_name: process.parent.macho.sections level: extended name: sections normalize: @@ -18583,10 +15958,10 @@ process: original_fieldset: macho short: Section information of the Mach-O file. type: nested - process.entry_leader.parent.macho.sections.entropy: - dashed_name: process-entry-leader-parent-macho-sections-entropy + process.parent.macho.sections.entropy: + dashed_name: process-parent-macho-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.macho.sections.entropy + flat_name: process.parent.macho.sections.entropy format: number level: extended name: sections.entropy @@ -18594,10 +15969,10 @@ process: original_fieldset: macho short: Shannon entropy calculation from the section. type: long - process.entry_leader.parent.macho.sections.name: - dashed_name: process-entry-leader-parent-macho-sections-name + process.parent.macho.sections.name: + dashed_name: process-parent-macho-sections-name description: Mach-O Section List name. - flat_name: process.entry_leader.parent.macho.sections.name + flat_name: process.parent.macho.sections.name ignore_above: 1024 level: extended name: sections.name @@ -18605,10 +15980,10 @@ process: original_fieldset: macho short: Mach-O Section List name. type: keyword - process.entry_leader.parent.macho.sections.physical_size: - dashed_name: process-entry-leader-parent-macho-sections-physical-size + process.parent.macho.sections.physical_size: + dashed_name: process-parent-macho-sections-physical-size description: Mach-O Section List physical size. - flat_name: process.entry_leader.parent.macho.sections.physical_size + flat_name: process.parent.macho.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -18616,10 +15991,10 @@ process: original_fieldset: macho short: Mach-O Section List physical size. type: long - process.entry_leader.parent.macho.sections.var_entropy: - dashed_name: process-entry-leader-parent-macho-sections-var-entropy + process.parent.macho.sections.var_entropy: + dashed_name: process-parent-macho-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.macho.sections.var_entropy + flat_name: process.parent.macho.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -18627,10 +16002,10 @@ process: original_fieldset: macho short: Variance for Shannon entropy calculation from the section. type: long - process.entry_leader.parent.macho.sections.virtual_size: - dashed_name: process-entry-leader-parent-macho-sections-virtual-size + process.parent.macho.sections.virtual_size: + dashed_name: process-parent-macho-sections-virtual-size description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.macho.sections.virtual_size + flat_name: process.parent.macho.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -18638,15 +16013,15 @@ process: original_fieldset: macho short: Mach-O Section List virtual size. This is always the same as `physical_size`. type: long - process.entry_leader.parent.macho.symhash: - dashed_name: process-entry-leader-parent-macho-symhash + process.parent.macho.symhash: + dashed_name: process-parent-macho-symhash description: 'A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a Mach-O implementation of the Windows PE imphash' example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.entry_leader.parent.macho.symhash + flat_name: process.parent.macho.symhash ignore_above: 1024 level: extended name: symhash @@ -18654,17 +16029,17 @@ process: original_fieldset: macho short: A hash of the imports in a Mach-O file. type: keyword - process.entry_leader.parent.name: - dashed_name: process-entry-leader-parent-name + process.parent.name: + dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh - flat_name: process.entry_leader.parent.name + flat_name: process.parent.name ignore_above: 1024 level: extended multi_fields: - - flat_name: process.entry_leader.parent.name.text + - flat_name: process.parent.name.text name: text type: match_only_text name: name @@ -18672,38 +16047,11 @@ process: original_fieldset: process short: Process name. type: keyword - process.entry_leader.parent.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.entry_leader.parent.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.entry_leader.parent.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.entry_leader.parent.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.entry_leader.parent.pe.architecture: - dashed_name: process-entry-leader-parent-pe-architecture + process.parent.pe.architecture: + dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: process.entry_leader.parent.pe.architecture + flat_name: process.parent.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -18711,11 +16059,11 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword - process.entry_leader.parent.pe.company: - dashed_name: process-entry-leader-parent-pe-company + process.parent.pe.company: + dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: process.entry_leader.parent.pe.company + flat_name: process.parent.pe.company ignore_above: 1024 level: extended name: company @@ -18723,11 +16071,11 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - process.entry_leader.parent.pe.description: - dashed_name: process-entry-leader-parent-pe-description + process.parent.pe.description: + dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: process.entry_leader.parent.pe.description + flat_name: process.parent.pe.description ignore_above: 1024 level: extended name: description @@ -18735,11 +16083,11 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - process.entry_leader.parent.pe.file_version: - dashed_name: process-entry-leader-parent-pe-file-version + process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: process.entry_leader.parent.pe.file_version + flat_name: process.parent.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -18747,8 +16095,8 @@ process: original_fieldset: pe short: Process name. type: keyword - process.entry_leader.parent.pe.go_import_hash: - dashed_name: process-entry-leader-parent-pe-go-import-hash + process.parent.pe.go_import_hash: + dashed_name: process-parent-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -18757,7 +16105,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.pe.go_import_hash + flat_name: process.parent.pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -18765,20 +16113,20 @@ process: original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword - process.entry_leader.parent.pe.go_imports: - dashed_name: process-entry-leader-parent-pe-go-imports + process.parent.pe.go_imports: + dashed_name: process-parent-pe-go-imports description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.pe.go_imports + flat_name: process.parent.pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened - process.entry_leader.parent.pe.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy + process.parent.pe.go_imports_names_entropy: + dashed_name: process-parent-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.pe.go_imports_names_entropy + flat_name: process.parent.pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -18786,10 +16134,10 @@ process: original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.parent.pe.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy + process.parent.pe.go_imports_names_var_entropy: + dashed_name: process-parent-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy + flat_name: process.parent.pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -18797,26 +16145,26 @@ process: original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.entry_leader.parent.pe.go_stripped: - dashed_name: process-entry-leader-parent-pe-go-stripped + process.parent.pe.go_stripped: + dashed_name: process-parent-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.pe.go_stripped + flat_name: process.parent.pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.entry_leader.parent.pe.imphash: - dashed_name: process-entry-leader-parent-pe-imphash + process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.entry_leader.parent.pe.imphash + flat_name: process.parent.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -18824,15 +16172,15 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.entry_leader.parent.pe.import_hash: - dashed_name: process-entry-leader-parent-pe-import-hash + process.parent.pe.import_hash: + dashed_name: process-parent-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.pe.import_hash + flat_name: process.parent.pe.import_hash ignore_above: 1024 level: extended name: import_hash @@ -18840,10 +16188,10 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.entry_leader.parent.pe.imports: - dashed_name: process-entry-leader-parent-pe-imports + process.parent.pe.imports: + dashed_name: process-parent-pe-imports description: List of imported element names and types. - flat_name: process.entry_leader.parent.pe.imports + flat_name: process.parent.pe.imports level: extended name: imports normalize: @@ -18851,11 +16199,11 @@ process: original_fieldset: pe short: List of imported element names and types. type: flattened - process.entry_leader.parent.pe.imports_names_entropy: - dashed_name: process-entry-leader-parent-pe-imports-names-entropy + process.parent.pe.imports_names_entropy: + dashed_name: process-parent-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.pe.imports_names_entropy + flat_name: process.parent.pe.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -18864,11 +16212,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.parent.pe.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy + process.parent.pe.imports_names_var_entropy: + dashed_name: process-parent-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.entry_leader.parent.pe.imports_names_var_entropy + flat_name: process.parent.pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -18877,11 +16225,11 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.entry_leader.parent.pe.original_file_name: - dashed_name: process-entry-leader-parent-pe-original-file-name + process.parent.pe.original_file_name: + dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: process.entry_leader.parent.pe.original_file_name + flat_name: process.parent.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name @@ -18889,15 +16237,15 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - process.entry_leader.parent.pe.pehash: - dashed_name: process-entry-leader-parent-pe-pehash + process.parent.pe.pehash: + dashed_name: process-parent-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.entry_leader.parent.pe.pehash + flat_name: process.parent.pe.pehash ignore_above: 1024 level: extended name: pehash @@ -18905,11 +16253,11 @@ process: original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword - process.entry_leader.parent.pe.product: - dashed_name: process-entry-leader-parent-pe-product + process.parent.pe.product: + dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. example: Microsoft® Windows® Operating System - flat_name: process.entry_leader.parent.pe.product + flat_name: process.parent.pe.product ignore_above: 1024 level: extended name: product @@ -18917,13 +16265,13 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - process.entry_leader.parent.pe.sections: - dashed_name: process-entry-leader-parent-pe-sections + process.parent.pe.sections: + dashed_name: process-parent-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' - flat_name: process.entry_leader.parent.pe.sections + flat_name: process.parent.pe.sections level: extended name: sections normalize: @@ -18931,10 +16279,10 @@ process: original_fieldset: pe short: Section information of the PE file. type: nested - process.entry_leader.parent.pe.sections.entropy: - dashed_name: process-entry-leader-parent-pe-sections-entropy + process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.pe.sections.entropy + flat_name: process.parent.pe.sections.entropy format: number level: extended name: sections.entropy @@ -18942,10 +16290,10 @@ process: original_fieldset: pe short: Shannon entropy calculation from the section. type: long - process.entry_leader.parent.pe.sections.name: - dashed_name: process-entry-leader-parent-pe-sections-name + process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name description: PE Section List name. - flat_name: process.entry_leader.parent.pe.sections.name + flat_name: process.parent.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -18953,10 +16301,10 @@ process: original_fieldset: pe short: PE Section List name. type: keyword - process.entry_leader.parent.pe.sections.physical_size: - dashed_name: process-entry-leader-parent-pe-sections-physical-size + process.parent.pe.sections.physical_size: + dashed_name: process-parent-pe-sections-physical-size description: PE Section List physical size. - flat_name: process.entry_leader.parent.pe.sections.physical_size + flat_name: process.parent.pe.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -18964,10 +16312,10 @@ process: original_fieldset: pe short: PE Section List physical size. type: long - process.entry_leader.parent.pe.sections.var_entropy: - dashed_name: process-entry-leader-parent-pe-sections-var-entropy + process.parent.pe.sections.var_entropy: + dashed_name: process-parent-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.pe.sections.var_entropy + flat_name: process.parent.pe.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -18975,10 +16323,10 @@ process: original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long - process.entry_leader.parent.pe.sections.virtual_size: - dashed_name: process-entry-leader-parent-pe-sections-virtual-size + process.parent.pe.sections.virtual_size: + dashed_name: process-parent-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.pe.sections.virtual_size + flat_name: process.parent.pe.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -18986,11 +16334,11 @@ process: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long - process.entry_leader.parent.pid: - dashed_name: process-entry-leader-parent-pid + process.parent.pid: + dashed_name: process-parent-pid description: Process id. example: 4242 - flat_name: process.entry_leader.parent.pid + flat_name: process.parent.pid format: string level: core name: pid @@ -18998,36 +16346,60 @@ process: original_fieldset: process short: Process id. type: long - process.entry_leader.parent.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.entry_leader.parent.platform_binary + process.parent.real_group.id: + dashed_name: process-parent-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.real_group.id + ignore_above: 1024 level: extended - name: platform_binary + name: id normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.entry_leader.parent.real_group.domain: - dashed_name: process-entry-leader-parent-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.real_group.domain + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.real_group.name: + dashed_name: process-parent-real-group-name + description: Name of the group. + flat_name: process.parent.real_group.name ignore_above: 1024 level: extended - name: domain + name: name normalize: [] original_fieldset: group - short: Name of the directory the group is a member of. + short: Name of the group. + type: keyword + process.parent.real_user.id: + dashed_name: process-parent-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.real_user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + process.parent.real_user.name: + dashed_name: process-parent-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.real_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.parent.real_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. type: keyword - process.entry_leader.parent.real_group.id: - dashed_name: process-entry-leader-parent-real-group-id + process.parent.saved_group.id: + dashed_name: process-parent-saved-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.real_group.id + flat_name: process.parent.saved_group.id ignore_above: 1024 level: extended name: id @@ -19035,10 +16407,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.entry_leader.parent.real_group.name: - dashed_name: process-entry-leader-parent-real-group-name + process.parent.saved_group.name: + dashed_name: process-parent-saved-group-name description: Name of the group. - flat_name: process.entry_leader.parent.real_group.name + flat_name: process.parent.saved_group.name ignore_above: 1024 level: extended name: name @@ -19046,41362 +16418,196 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.entry_leader.parent.real_user.domain: - dashed_name: process-entry-leader-parent-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.real_user.domain + process.parent.saved_user.id: + dashed_name: process-parent-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.parent.saved_user.id ignore_above: 1024 - level: extended - name: domain + level: core + name: id normalize: [] original_fieldset: user - short: Name of the directory the user is a member of. + short: Unique identifier of the user. type: keyword - process.entry_leader.parent.real_user.email: - dashed_name: process-entry-leader-parent-real-user-email - description: User email address. - flat_name: process.entry_leader.parent.real_user.email + process.parent.saved_user.name: + dashed_name: process-parent-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.parent.saved_user.name ignore_above: 1024 - level: extended - name: email + level: core + multi_fields: + - flat_name: process.parent.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] original_fieldset: user - short: User email address. + short: Short name or login of the user. type: keyword - process.entry_leader.parent.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.real_user.entity.attributes + process.parent.start: + dashed_name: process-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.start level: extended - name: attributes + name: start normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.real_user.entity.behavior + original_fieldset: process + short: The time the process started. + type: date + process.parent.supplemental_groups.id: + dashed_name: process-parent-supplemental-groups-id + description: Unique identifier for the group on the system/platform. + flat_name: process.parent.supplemental_groups.id + ignore_above: 1024 level: extended - name: behavior + name: id normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.real_user.entity.display_name + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.parent.supplemental_groups.name: + dashed_name: process-parent-supplemental-groups-name + description: Name of the group. + flat_name: process.parent.supplemental_groups.name ignore_above: 1024 level: extended - multi_fields: - - flat_name: process.entry_leader.parent.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name + name: name normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. + original_fieldset: group + short: Name of the group. type: keyword - process.entry_leader.parent.real_user.entity.id: - dashed_name: process-entry-leader-parent-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.real_user.entity.id + process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + synthetic_source_keep: none type: keyword - process.entry_leader.parent.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp + process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.real_user.entity.lifecycle + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + synthetic_source_keep: none + type: keyword + process.parent.thread.id: + dashed_name: process-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.thread.id + format: string level: extended - name: lifecycle + name: thread.id normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.real_user.entity.metrics + original_fieldset: process + short: Thread ID. + type: long + process.parent.thread.name: + dashed_name: process-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.thread.name + ignore_above: 1024 level: extended - name: metrics + name: thread.name normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.real_user.entity.name + original_fieldset: process + short: Thread name. + type: keyword + process.parent.title: + dashed_name: process-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.parent.title ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.entry_leader.parent.real_user.entity.name.text + - flat_name: process.parent.title.text name: text type: match_only_text - name: name + name: title normalize: [] - original_fieldset: entity - short: The name of the entity. + original_fieldset: process + short: Process title. type: keyword - process.entry_leader.parent.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.real_user.entity.raw + process.parent.tty: + dashed_name: process-parent-tty + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + flat_name: process.parent.tty level: extended - name: raw + name: tty normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. + original_fieldset: process + short: Information about the controlling TTY device. type: object - process.entry_leader.parent.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.real_user.entity.reference - ignore_above: 1024 + process.parent.tty.char_device.major: + dashed_name: process-parent-tty-char-device-major + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + flat_name: process.parent.tty.char_device.major level: extended - name: reference + name: tty.char_device.major normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.real_user.full_name: - dashed_name: process-entry-leader-parent-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.real_user.group.domain: - dashed_name: process-entry-leader-parent-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.real_user.group.id: - dashed_name: process-entry-leader-parent-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.real_user.group.name: - dashed_name: process-entry-leader-parent-real-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.real_user.hash: - dashed_name: process-entry-leader-parent-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.real_user.id: - dashed_name: process-entry-leader-parent-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.real_user.name: - dashed_name: process-entry-leader-parent-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.real_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.real_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.real_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.real_user.risk.static_level: - dashed_name: process-entry-leader-parent-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.real_user.risk.static_score: - dashed_name: process-entry-leader-parent-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.real_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.real_user.roles: - dashed_name: process-entry-leader-parent-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.same_as_process: - dashed_name: process-entry-leader-parent-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.parent.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.entry_leader.parent.saved_group.domain: - dashed_name: process-entry-leader-parent-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.saved_group.id: - dashed_name: process-entry-leader-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.saved_group.name: - dashed_name: process-entry-leader-parent-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.saved_user.domain: - dashed_name: process-entry-leader-parent-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.saved_user.email: - dashed_name: process-entry-leader-parent-saved-user-email - description: User email address. - flat_name: process.entry_leader.parent.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.saved_user.entity.id: - dashed_name: process-entry-leader-parent-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.saved_user.full_name: - dashed_name: process-entry-leader-parent-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.saved_user.group.domain: - dashed_name: process-entry-leader-parent-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.saved_user.group.id: - dashed_name: process-entry-leader-parent-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.saved_user.group.name: - dashed_name: process-entry-leader-parent-saved-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.saved_user.hash: - dashed_name: process-entry-leader-parent-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.saved_user.id: - dashed_name: process-entry-leader-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.saved_user.name: - dashed_name: process-entry-leader-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.saved_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.saved_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.saved_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.saved_user.risk.static_level: - dashed_name: process-entry-leader-parent-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.saved_user.risk.static_score: - dashed_name: process-entry-leader-parent-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.saved_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.saved_user.roles: - dashed_name: process-entry-leader-parent-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.args: - dashed_name: process-entry-leader-parent-session-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.entry_leader.parent.session_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.entry_leader.parent.session_leader.args_count: - dashed_name: process-entry-leader-parent-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.entry_leader.parent.session_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.entry_leader.parent.session_leader.attested_groups.domain: - dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.attested_groups.id: - dashed_name: process-entry-leader-parent-session-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.attested_groups.name: - dashed_name: process-entry-leader-parent-session-leader-attested-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.attested_user.domain: - dashed_name: process-entry-leader-parent-session-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.session_leader.attested_user.email: - dashed_name: process-entry-leader-parent-session-leader-attested-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.session_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.session_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.session_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.session_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.session_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.session_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.session_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.session_leader.attested_user.full_name: - dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.session_leader.attested_user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.attested_user.group.id: - dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.attested_user.group.name: - dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.attested_user.hash: - dashed_name: process-entry-leader-parent-session-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.session_leader.attested_user.id: - dashed_name: process-entry-leader-parent-session-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.session_leader.attested_user.name: - dashed_name: process-entry-leader-parent-session-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.session_leader.attested_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.session_leader.attested_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.session_leader.attested_user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.session_leader.attested_user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.session_leader.attested_user.roles: - dashed_name: process-entry-leader-parent-session-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.code_signature.digest_algorithm: - dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.entry_leader.parent.session_leader.code_signature.exists: - dashed_name: process-entry-leader-parent-session-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.entry_leader.parent.session_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.entry_leader.parent.session_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.entry_leader.parent.session_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.entry_leader.parent.session_leader.code_signature.signing_id: - dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.entry_leader.parent.session_leader.code_signature.status: - dashed_name: process-entry-leader-parent-session-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.entry_leader.parent.session_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.entry_leader.parent.session_leader.code_signature.subject_name: - dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.entry_leader.parent.session_leader.code_signature.team_id: - dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.entry_leader.parent.session_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.entry_leader.parent.session_leader.code_signature.timestamp: - dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.entry_leader.parent.session_leader.code_signature.trusted: - dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.entry_leader.parent.session_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.entry_leader.parent.session_leader.code_signature.valid: - dashed_name: process-entry-leader-parent-session-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.entry_leader.parent.session_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.entry_leader.parent.session_leader.command_line: - dashed_name: process-entry-leader-parent-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.entry_leader.parent.session_leader.command_line - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.entry_leader.parent.session_leader.elf.architecture: - dashed_name: process-entry-leader-parent-session-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.entry_leader.parent.session_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.byte_order: - dashed_name: process-entry-leader-parent-session-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.entry_leader.parent.session_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.cpu_type: - dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.entry_leader.parent.session_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.creation_date: - dashed_name: process-entry-leader-parent-session-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.entry_leader.parent.session_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.entry_leader.parent.session_leader.elf.exports: - dashed_name: process-entry-leader-parent-session-leader-elf-exports - description: List of exported element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.entry_leader.parent.session_leader.elf.go_import_hash: - dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.go_imports: - dashed_name: process-entry-leader-parent-session-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.entry_leader.parent.session_leader.elf.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.parent.session_leader.elf.go_stripped: - dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.session_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.entry_leader.parent.session_leader.elf.header.abi_version: - dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.entry_leader.parent.session_leader.elf.header.class: - dashed_name: process-entry-leader-parent-session-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.header.data: - dashed_name: process-entry-leader-parent-session-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.entry_leader.parent.session_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.entry_leader.parent.session_leader.elf.header.entrypoint: - dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.entry_leader.parent.session_leader.elf.header.object_version: - dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.entry_leader.parent.session_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.entry_leader.parent.session_leader.elf.header.os_abi: - dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.entry_leader.parent.session_leader.elf.header.type: - dashed_name: process-entry-leader-parent-session-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.header.version: - dashed_name: process-entry-leader-parent-session-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.entry_leader.parent.session_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.entry_leader.parent.session_leader.elf.import_hash: - dashed_name: process-entry-leader-parent-session-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.session_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.entry_leader.parent.session_leader.elf.imports: - dashed_name: process-entry-leader-parent-session-leader-elf-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.entry_leader.parent.session_leader.elf.imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.entry_leader.parent.session_leader.elf.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.entry_leader.parent.session_leader.elf.sections: - dashed_name: process-entry-leader-parent-session-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.entry_leader.parent.session_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.entry_leader.parent.session_leader.elf.sections.chi2: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.entry_leader.parent.session_leader.elf.sections.entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.entry_leader.parent.session_leader.elf.sections.flags: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.entry_leader.parent.session_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.entry_leader.parent.session_leader.elf.sections.name: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.entry_leader.parent.session_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.entry_leader.parent.session_leader.elf.sections.physical_offset: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.entry_leader.parent.session_leader.elf.sections.physical_size: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.entry_leader.parent.session_leader.elf.sections.type: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.entry_leader.parent.session_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.entry_leader.parent.session_leader.elf.sections.var_entropy: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.entry_leader.parent.session_leader.elf.sections.virtual_address: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.entry_leader.parent.session_leader.elf.sections.virtual_size: - dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.entry_leader.parent.session_leader.elf.segments: - dashed_name: process-entry-leader-parent-session-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.entry_leader.parent.session_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.entry_leader.parent.session_leader.elf.segments.sections: - dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.entry_leader.parent.session_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.entry_leader.parent.session_leader.elf.segments.type: - dashed_name: process-entry-leader-parent-session-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.entry_leader.parent.session_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.entry_leader.parent.session_leader.elf.shared_libraries: - dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.entry_leader.parent.session_leader.elf.telfhash: - dashed_name: process-entry-leader-parent-session-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.entry_leader.parent.session_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.entry_leader.parent.session_leader.end: - dashed_name: process-entry-leader-parent-session-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.session_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.entry_leader.parent.session_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.entry_leader.parent.session_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.entry_leader.parent.session_leader.entity_id: - dashed_name: process-entry-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.entry_leader.parent.session_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.address: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.as.number: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.bytes: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.entry_leader.parent.session_leader.entry_meta.source.domain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.location: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.entry_leader.parent.session_leader.entry_meta.source.geo.name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.ip: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.entry_leader.parent.session_leader.entry_meta.source.mac: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.nat.ip: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.entry_leader.parent.session_leader.entry_meta.source.nat.port: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.entry_leader.parent.session_leader.entry_meta.source.packets: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.entry_leader.parent.session_leader.entry_meta.source.port: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.entry_leader.parent.session_leader.entry_meta.source.registered_domain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.subdomain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.entry_leader.parent.session_leader.entry_meta.type: - dashed_name: process-entry-leader-parent-session-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_leader.parent.session_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.entry_leader.parent.session_leader.env_vars: - dashed_name: process-entry-leader-parent-session-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.entry_leader.parent.session_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.executable: - dashed_name: process-entry-leader-parent-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.entry_leader.parent.session_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.entry_leader.parent.session_leader.exit_code: - dashed_name: process-entry-leader-parent-session-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.entry_leader.parent.session_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.entry_leader.parent.session_leader.group.domain: - dashed_name: process-entry-leader-parent-session-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.group.id: - dashed_name: process-entry-leader-parent-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.group.name: - dashed_name: process-entry-leader-parent-session-leader-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.entry_leader.parent.session_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.entry_leader.parent.session_leader.hash.md5: - dashed_name: process-entry-leader-parent-session-leader-hash-md5 - description: MD5 hash. - flat_name: process.entry_leader.parent.session_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.entry_leader.parent.session_leader.hash.sha1: - dashed_name: process-entry-leader-parent-session-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.entry_leader.parent.session_leader.hash.sha256: - dashed_name: process-entry-leader-parent-session-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.entry_leader.parent.session_leader.hash.sha384: - dashed_name: process-entry-leader-parent-session-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.entry_leader.parent.session_leader.hash.sha512: - dashed_name: process-entry-leader-parent-session-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.entry_leader.parent.session_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.entry_leader.parent.session_leader.hash.ssdeep: - dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.entry_leader.parent.session_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.entry_leader.parent.session_leader.hash.tlsh: - dashed_name: process-entry-leader-parent-session-leader-hash-tlsh - description: TLSH hash. - flat_name: process.entry_leader.parent.session_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.entry_leader.parent.session_leader.interactive: - dashed_name: process-entry-leader-parent-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.entry_leader.parent.session_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.entry_leader.parent.session_leader.io: - dashed_name: process-entry-leader-parent-session-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.entry_leader.parent.session_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.entry_leader.parent.session_leader.io.bytes_skipped: - dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.entry_leader.parent.session_leader.io.bytes_skipped.length: - dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.entry_leader.parent.session_leader.io.bytes_skipped.offset: - dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.entry_leader.parent.session_leader.io.text: - dashed_name: process-entry-leader-parent-session-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.entry_leader.parent.session_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.entry_leader.parent.session_leader.io.total_bytes_captured: - dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.entry_leader.parent.session_leader.io.total_bytes_skipped: - dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.entry_leader.parent.session_leader.io.type: - dashed_name: process-entry-leader-parent-session-leader-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.entry_leader.parent.session_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.entry_leader.parent.session_leader.macho.go_import_hash: - dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.entry_leader.parent.session_leader.macho.go_imports: - dashed_name: process-entry-leader-parent-session-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.session_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.entry_leader.parent.session_leader.macho.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.parent.session_leader.macho.go_stripped: - dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.session_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.entry_leader.parent.session_leader.macho.import_hash: - dashed_name: process-entry-leader-parent-session-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.session_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.entry_leader.parent.session_leader.macho.imports: - dashed_name: process-entry-leader-parent-session-leader-macho-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.session_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.entry_leader.parent.session_leader.macho.imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.entry_leader.parent.session_leader.macho.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.entry_leader.parent.session_leader.macho.sections: - dashed_name: process-entry-leader-parent-session-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.entry_leader.parent.session_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.entry_leader.parent.session_leader.macho.sections.entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.entry_leader.parent.session_leader.macho.sections.name: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.entry_leader.parent.session_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.entry_leader.parent.session_leader.macho.sections.physical_size: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.entry_leader.parent.session_leader.macho.sections.var_entropy: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.entry_leader.parent.session_leader.macho.sections.virtual_size: - dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.entry_leader.parent.session_leader.macho.symhash: - dashed_name: process-entry-leader-parent-session-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.entry_leader.parent.session_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.entry_leader.parent.session_leader.name: - dashed_name: process-entry-leader-parent-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.entry_leader.parent.session_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.entry_leader.parent.session_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.entry_leader.parent.session_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.entry_leader.parent.session_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.entry_leader.parent.session_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.entry_leader.parent.session_leader.pe.architecture: - dashed_name: process-entry-leader-parent-session-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.entry_leader.parent.session_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.entry_leader.parent.session_leader.pe.company: - dashed_name: process-entry-leader-parent-session-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.entry_leader.parent.session_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.entry_leader.parent.session_leader.pe.description: - dashed_name: process-entry-leader-parent-session-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.entry_leader.parent.session_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.entry_leader.parent.session_leader.pe.file_version: - dashed_name: process-entry-leader-parent-session-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.entry_leader.parent.session_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.entry_leader.parent.session_leader.pe.go_import_hash: - dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.entry_leader.parent.session_leader.pe.go_imports: - dashed_name: process-entry-leader-parent-session-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.parent.session_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.entry_leader.parent.session_leader.pe.go_imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.parent.session_leader.pe.go_stripped: - dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.parent.session_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.entry_leader.parent.session_leader.pe.imphash: - dashed_name: process-entry-leader-parent-session-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.entry_leader.parent.session_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.entry_leader.parent.session_leader.pe.import_hash: - dashed_name: process-entry-leader-parent-session-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.parent.session_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.entry_leader.parent.session_leader.pe.imports: - dashed_name: process-entry-leader-parent-session-leader-pe-imports - description: List of imported element names and types. - flat_name: process.entry_leader.parent.session_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.entry_leader.parent.session_leader.pe.imports_names_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.entry_leader.parent.session_leader.pe.imports_names_var_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.entry_leader.parent.session_leader.pe.original_file_name: - dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.entry_leader.parent.session_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.entry_leader.parent.session_leader.pe.pehash: - dashed_name: process-entry-leader-parent-session-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.entry_leader.parent.session_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.entry_leader.parent.session_leader.pe.product: - dashed_name: process-entry-leader-parent-session-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.entry_leader.parent.session_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.entry_leader.parent.session_leader.pe.sections: - dashed_name: process-entry-leader-parent-session-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.entry_leader.parent.session_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.entry_leader.parent.session_leader.pe.sections.entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.entry_leader.parent.session_leader.pe.sections.name: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-name - description: PE Section List name. - flat_name: process.entry_leader.parent.session_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.entry_leader.parent.session_leader.pe.sections.physical_size: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.entry_leader.parent.session_leader.pe.sections.var_entropy: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.entry_leader.parent.session_leader.pe.sections.virtual_size: - dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.entry_leader.parent.session_leader.pid: - dashed_name: process-entry-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.entry_leader.parent.session_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.entry_leader.parent.session_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.entry_leader.parent.session_leader.real_group.domain: - dashed_name: process-entry-leader-parent-session-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.real_group.id: - dashed_name: process-entry-leader-parent-session-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.real_group.name: - dashed_name: process-entry-leader-parent-session-leader-real-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.real_user.domain: - dashed_name: process-entry-leader-parent-session-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.session_leader.real_user.email: - dashed_name: process-entry-leader-parent-session-leader-real-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.session_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.session_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.session_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.session_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.session_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.session_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.session_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.session_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.session_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.session_leader.real_user.full_name: - dashed_name: process-entry-leader-parent-session-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.session_leader.real_user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.real_user.group.id: - dashed_name: process-entry-leader-parent-session-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.real_user.group.name: - dashed_name: process-entry-leader-parent-session-leader-real-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.real_user.hash: - dashed_name: process-entry-leader-parent-session-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.session_leader.real_user.id: - dashed_name: process-entry-leader-parent-session-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.session_leader.real_user.name: - dashed_name: process-entry-leader-parent-session-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.session_leader.real_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.session_leader.real_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.session_leader.real_user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.session_leader.real_user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.session_leader.real_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.session_leader.real_user.roles: - dashed_name: process-entry-leader-parent-session-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.same_as_process: - dashed_name: process-entry-leader-parent-session-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.parent.session_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.entry_leader.parent.session_leader.saved_group.domain: - dashed_name: process-entry-leader-parent-session-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.saved_group.id: - dashed_name: process-entry-leader-parent-session-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.saved_group.name: - dashed_name: process-entry-leader-parent-session-leader-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.saved_user.domain: - dashed_name: process-entry-leader-parent-session-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.session_leader.saved_user.email: - dashed_name: process-entry-leader-parent-session-leader-saved-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.session_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.session_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.session_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.session_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.session_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.session_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.session_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.session_leader.saved_user.full_name: - dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.session_leader.saved_user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.saved_user.group.id: - dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.saved_user.group.name: - dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.saved_user.hash: - dashed_name: process-entry-leader-parent-session-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.session_leader.saved_user.id: - dashed_name: process-entry-leader-parent-session-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.session_leader.saved_user.name: - dashed_name: process-entry-leader-parent-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.session_leader.saved_user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.session_leader.saved_user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.session_leader.saved_user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.session_leader.saved_user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.session_leader.saved_user.roles: - dashed_name: process-entry-leader-parent-session-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.start: - dashed_name: process-entry-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.entry_leader.parent.session_leader.supplemental_groups.domain: - dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.supplemental_groups.id: - dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.supplemental_groups.name: - dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.thread.capabilities.effective: - dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.thread.capabilities.permitted: - dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.thread.id: - dashed_name: process-entry-leader-parent-session-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.entry_leader.parent.session_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.entry_leader.parent.session_leader.thread.name: - dashed_name: process-entry-leader-parent-session-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.entry_leader.parent.session_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.entry_leader.parent.session_leader.title: - dashed_name: process-entry-leader-parent-session-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.entry_leader.parent.session_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.entry_leader.parent.session_leader.tty: - dashed_name: process-entry-leader-parent-session-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.entry_leader.parent.session_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.entry_leader.parent.session_leader.tty.char_device.major: - dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.parent.session_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.entry_leader.parent.session_leader.tty.char_device.minor: - dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.entry_leader.parent.session_leader.tty.columns: - dashed_name: process-entry-leader-parent-session-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.entry_leader.parent.session_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.entry_leader.parent.session_leader.tty.rows: - dashed_name: process-entry-leader-parent-session-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.entry_leader.parent.session_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.entry_leader.parent.session_leader.uptime: - dashed_name: process-entry-leader-parent-session-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.entry_leader.parent.session_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.entry_leader.parent.session_leader.user.domain: - dashed_name: process-entry-leader-parent-session-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.session_leader.user.email: - dashed_name: process-entry-leader-parent-session-leader-user-email - description: User email address. - flat_name: process.entry_leader.parent.session_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.session_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.session_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.session_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.session_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.session_leader.user.entity.id: - dashed_name: process-entry-leader-parent-session-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.session_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.session_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.session_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.session_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.session_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.session_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.session_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.session_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.session_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.session_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.session_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.session_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.session_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.session_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-session-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.session_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.session_leader.user.full_name: - dashed_name: process-entry-leader-parent-session-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.session_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.session_leader.user.group.domain: - dashed_name: process-entry-leader-parent-session-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.session_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.session_leader.user.group.id: - dashed_name: process-entry-leader-parent-session-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.session_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.session_leader.user.group.name: - dashed_name: process-entry-leader-parent-session-leader-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.session_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.session_leader.user.hash: - dashed_name: process-entry-leader-parent-session-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.session_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.session_leader.user.id: - dashed_name: process-entry-leader-parent-session-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.session_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.session_leader.user.name: - dashed_name: process-entry-leader-parent-session-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.session_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.session_leader.user.risk.calculated_level: - dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.session_leader.user.risk.calculated_score: - dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.session_leader.user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.session_leader.user.risk.static_level: - dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.session_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.session_leader.user.risk.static_score: - dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.session_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.session_leader.user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.session_leader.user.roles: - dashed_name: process-entry-leader-parent-session-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.session_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.session_leader.vpid: - dashed_name: process-entry-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.entry_leader.parent.session_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.entry_leader.parent.session_leader.working_directory: - dashed_name: process-entry-leader-parent-session-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.parent.session_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.session_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.entry_leader.parent.start: - dashed_name: process-entry-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.entry_leader.parent.supplemental_groups.domain: - dashed_name: process-entry-leader-parent-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.supplemental_groups.id: - dashed_name: process-entry-leader-parent-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.supplemental_groups.name: - dashed_name: process-entry-leader-parent-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.parent.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.thread.capabilities.effective: - dashed_name: process-entry-leader-parent-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.thread.capabilities.permitted: - dashed_name: process-entry-leader-parent-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.parent.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.thread.id: - dashed_name: process-entry-leader-parent-thread-id - description: Thread ID. - example: 4242 - flat_name: process.entry_leader.parent.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.entry_leader.parent.thread.name: - dashed_name: process-entry-leader-parent-thread-name - description: Thread name. - example: thread-0 - flat_name: process.entry_leader.parent.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.entry_leader.parent.title: - dashed_name: process-entry-leader-parent-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.entry_leader.parent.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.entry_leader.parent.tty: - dashed_name: process-entry-leader-parent-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.entry_leader.parent.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.entry_leader.parent.tty.char_device.major: - dashed_name: process-entry-leader-parent-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.parent.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.entry_leader.parent.tty.char_device.minor: - dashed_name: process-entry-leader-parent-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.parent.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.entry_leader.parent.tty.columns: - dashed_name: process-entry-leader-parent-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.entry_leader.parent.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.entry_leader.parent.tty.rows: - dashed_name: process-entry-leader-parent-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.entry_leader.parent.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.entry_leader.parent.uptime: - dashed_name: process-entry-leader-parent-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.entry_leader.parent.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.entry_leader.parent.user.domain: - dashed_name: process-entry-leader-parent-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.parent.user.email: - dashed_name: process-entry-leader-parent-user-email - description: User email address. - flat_name: process.entry_leader.parent.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.parent.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.parent.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.parent.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.parent.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.parent.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.parent.user.entity.id: - dashed_name: process-entry-leader-parent-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.parent.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.parent.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.parent.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.parent.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.parent.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.parent.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.parent.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.parent.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.parent.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.parent.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.parent.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.parent.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.parent.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.parent.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.parent.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.parent.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.parent.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-parent-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.parent.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.parent.user.full_name: - dashed_name: process-entry-leader-parent-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.parent.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.parent.user.group.domain: - dashed_name: process-entry-leader-parent-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.parent.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.parent.user.group.id: - dashed_name: process-entry-leader-parent-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.parent.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.parent.user.group.name: - dashed_name: process-entry-leader-parent-user-group-name - description: Name of the group. - flat_name: process.entry_leader.parent.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.parent.user.hash: - dashed_name: process-entry-leader-parent-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.parent.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.parent.user.id: - dashed_name: process-entry-leader-parent-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.parent.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.parent.user.name: - dashed_name: process-entry-leader-parent-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.parent.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.parent.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.parent.user.risk.calculated_level: - dashed_name: process-entry-leader-parent-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.parent.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.parent.user.risk.calculated_score: - dashed_name: process-entry-leader-parent-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.parent.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.parent.user.risk.calculated_score_norm: - dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.parent.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.parent.user.risk.static_level: - dashed_name: process-entry-leader-parent-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.parent.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.parent.user.risk.static_score: - dashed_name: process-entry-leader-parent-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.parent.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.parent.user.risk.static_score_norm: - dashed_name: process-entry-leader-parent-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.parent.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.parent.user.roles: - dashed_name: process-entry-leader-parent-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.parent.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.parent.vpid: - dashed_name: process-entry-leader-parent-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.entry_leader.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.entry_leader.parent.working_directory: - dashed_name: process-entry-leader-parent-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.parent.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.parent.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.entry_leader.pe.architecture: - dashed_name: process-entry-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.entry_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.entry_leader.pe.company: - dashed_name: process-entry-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.entry_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.entry_leader.pe.description: - dashed_name: process-entry-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.entry_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.entry_leader.pe.file_version: - dashed_name: process-entry-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.entry_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.entry_leader.pe.go_import_hash: - dashed_name: process-entry-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.entry_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.entry_leader.pe.go_imports: - dashed_name: process-entry-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.entry_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.entry_leader.pe.go_imports_names_entropy: - dashed_name: process-entry-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.pe.go_imports_names_var_entropy: - dashed_name: process-entry-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.entry_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.entry_leader.pe.go_stripped: - dashed_name: process-entry-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.entry_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.entry_leader.pe.imphash: - dashed_name: process-entry-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.entry_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.entry_leader.pe.import_hash: - dashed_name: process-entry-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.entry_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.entry_leader.pe.imports: - dashed_name: process-entry-leader-pe-imports - description: List of imported element names and types. - flat_name: process.entry_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.entry_leader.pe.imports_names_entropy: - dashed_name: process-entry-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.entry_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.entry_leader.pe.imports_names_var_entropy: - dashed_name: process-entry-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.entry_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.entry_leader.pe.original_file_name: - dashed_name: process-entry-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.entry_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.entry_leader.pe.pehash: - dashed_name: process-entry-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.entry_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.entry_leader.pe.product: - dashed_name: process-entry-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.entry_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.entry_leader.pe.sections: - dashed_name: process-entry-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.entry_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.entry_leader.pe.sections.entropy: - dashed_name: process-entry-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.entry_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.entry_leader.pe.sections.name: - dashed_name: process-entry-leader-pe-sections-name - description: PE Section List name. - flat_name: process.entry_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.entry_leader.pe.sections.physical_size: - dashed_name: process-entry-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.entry_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.entry_leader.pe.sections.var_entropy: - dashed_name: process-entry-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.entry_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.entry_leader.pe.sections.virtual_size: - dashed_name: process-entry-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.entry_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.entry_leader.pid: - dashed_name: process-entry-leader-pid - description: Process id. - example: 4242 - flat_name: process.entry_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.entry_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.entry_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.entry_leader.real_group.domain: - dashed_name: process-entry-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.real_group.id: - dashed_name: process-entry-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.real_group.name: - dashed_name: process-entry-leader-real-group-name - description: Name of the group. - flat_name: process.entry_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.real_user.domain: - dashed_name: process-entry-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.real_user.email: - dashed_name: process-entry-leader-real-user-email - description: User email address. - flat_name: process.entry_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.real_user.entity.id: - dashed_name: process-entry-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.real_user.full_name: - dashed_name: process-entry-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.real_user.group.domain: - dashed_name: process-entry-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.real_user.group.id: - dashed_name: process-entry-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.real_user.group.name: - dashed_name: process-entry-leader-real-user-group-name - description: Name of the group. - flat_name: process.entry_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.real_user.hash: - dashed_name: process-entry-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.real_user.id: - dashed_name: process-entry-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.real_user.name: - dashed_name: process-entry-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.real_user.risk.calculated_level: - dashed_name: process-entry-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.real_user.risk.calculated_score: - dashed_name: process-entry-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.real_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.real_user.risk.static_level: - dashed_name: process-entry-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.real_user.risk.static_score: - dashed_name: process-entry-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.real_user.risk.static_score_norm: - dashed_name: process-entry-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.real_user.roles: - dashed_name: process-entry-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.same_as_process: - dashed_name: process-entry-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.entry_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.entry_leader.saved_group.domain: - dashed_name: process-entry-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.saved_group.id: - dashed_name: process-entry-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.saved_group.name: - dashed_name: process-entry-leader-saved-group-name - description: Name of the group. - flat_name: process.entry_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.saved_user.domain: - dashed_name: process-entry-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.saved_user.email: - dashed_name: process-entry-leader-saved-user-email - description: User email address. - flat_name: process.entry_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.saved_user.entity.id: - dashed_name: process-entry-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.saved_user.full_name: - dashed_name: process-entry-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.saved_user.group.domain: - dashed_name: process-entry-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.saved_user.group.id: - dashed_name: process-entry-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.saved_user.group.name: - dashed_name: process-entry-leader-saved-user-group-name - description: Name of the group. - flat_name: process.entry_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.saved_user.hash: - dashed_name: process-entry-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.saved_user.id: - dashed_name: process-entry-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.saved_user.name: - dashed_name: process-entry-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.saved_user.risk.calculated_level: - dashed_name: process-entry-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.saved_user.risk.calculated_score: - dashed_name: process-entry-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.saved_user.risk.static_level: - dashed_name: process-entry-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.saved_user.risk.static_score: - dashed_name: process-entry-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.saved_user.risk.static_score_norm: - dashed_name: process-entry-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.saved_user.roles: - dashed_name: process-entry-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.start: - dashed_name: process-entry-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.entry_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.entry_leader.supplemental_groups.domain: - dashed_name: process-entry-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.supplemental_groups.id: - dashed_name: process-entry-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.supplemental_groups.name: - dashed_name: process-entry-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.entry_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.thread.capabilities.effective: - dashed_name: process-entry-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.entry_leader.thread.capabilities.permitted: - dashed_name: process-entry-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.entry_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.entry_leader.thread.id: - dashed_name: process-entry-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.entry_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.entry_leader.thread.name: - dashed_name: process-entry-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.entry_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.entry_leader.title: - dashed_name: process-entry-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.entry_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.entry_leader.tty: - dashed_name: process-entry-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.entry_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.entry_leader.tty.char_device.major: - dashed_name: process-entry-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.entry_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.entry_leader.tty.char_device.minor: - dashed_name: process-entry-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.entry_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.entry_leader.tty.columns: - dashed_name: process-entry-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.entry_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.entry_leader.tty.rows: - dashed_name: process-entry-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.entry_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.entry_leader.uptime: - dashed_name: process-entry-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.entry_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.entry_leader.user.domain: - dashed_name: process-entry-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.entry_leader.user.email: - dashed_name: process-entry-leader-user-email - description: User email address. - flat_name: process.entry_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.entry_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.entry_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.entry_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.entry_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.entry_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.entry_leader.user.entity.id: - dashed_name: process-entry-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.entry_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.entry_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.entry_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.entry_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.entry_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.entry_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.entry_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.entry_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.entry_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.entry_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.entry_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.entry_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.entry_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.entry_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.entry_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.entry_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.entry_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.entry_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-entry-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.entry_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.entry_leader.user.full_name: - dashed_name: process-entry-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.entry_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.entry_leader.user.group.domain: - dashed_name: process-entry-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.entry_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.entry_leader.user.group.id: - dashed_name: process-entry-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.entry_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.entry_leader.user.group.name: - dashed_name: process-entry-leader-user-group-name - description: Name of the group. - flat_name: process.entry_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.entry_leader.user.hash: - dashed_name: process-entry-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.entry_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.entry_leader.user.id: - dashed_name: process-entry-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.entry_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.entry_leader.user.name: - dashed_name: process-entry-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.entry_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.entry_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.entry_leader.user.risk.calculated_level: - dashed_name: process-entry-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.entry_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.entry_leader.user.risk.calculated_score: - dashed_name: process-entry-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.entry_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.entry_leader.user.risk.calculated_score_norm: - dashed_name: process-entry-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.entry_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.entry_leader.user.risk.static_level: - dashed_name: process-entry-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.entry_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.entry_leader.user.risk.static_score: - dashed_name: process-entry-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.entry_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.entry_leader.user.risk.static_score_norm: - dashed_name: process-entry-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.entry_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.entry_leader.user.roles: - dashed_name: process-entry-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.entry_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.entry_leader.vpid: - dashed_name: process-entry-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.entry_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.entry_leader.working_directory: - dashed_name: process-entry-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.entry_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.entry_meta.source.address: - dashed_name: process-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.entry_meta.source.as.number: - dashed_name: process-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.entry_meta.source.as.organization.name: - dashed_name: process-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.entry_meta.source.bytes: - dashed_name: process-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.entry_meta.source.domain: - dashed_name: process-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.entry_meta.source.geo.city_name: - dashed_name: process-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.entry_meta.source.geo.continent_code: - dashed_name: process-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.entry_meta.source.geo.continent_name: - dashed_name: process-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.entry_meta.source.geo.country_iso_code: - dashed_name: process-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.entry_meta.source.geo.country_name: - dashed_name: process-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.entry_meta.source.geo.location: - dashed_name: process-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.entry_meta.source.geo.name: - dashed_name: process-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.entry_meta.source.geo.postal_code: - dashed_name: process-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.entry_meta.source.geo.region_iso_code: - dashed_name: process-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.entry_meta.source.geo.region_name: - dashed_name: process-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.entry_meta.source.geo.timezone: - dashed_name: process-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.entry_meta.source.ip: - dashed_name: process-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.entry_meta.source.mac: - dashed_name: process-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.entry_meta.source.nat.ip: - dashed_name: process-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.entry_meta.source.nat.port: - dashed_name: process-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.entry_meta.source.packets: - dashed_name: process-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.entry_meta.source.port: - dashed_name: process-entry-meta-source-port - description: Port of the source. - flat_name: process.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.entry_meta.source.registered_domain: - dashed_name: process-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.entry_meta.source.subdomain: - dashed_name: process-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.entry_meta.source.top_level_domain: - dashed_name: process-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.entry_meta.type: - dashed_name: process-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - short: The entry type for the entry session leader. - type: keyword - process.env_vars: - dashed_name: process-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.executable: - dashed_name: process-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - otel: - - attribute: process.executable.path - relation: equivalent - short: Absolute path to the process executable. - type: keyword - process.exit_code: - dashed_name: process-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.exit_code - level: extended - name: exit_code - normalize: [] - short: The exit code of the process. - type: long - process.group.domain: - dashed_name: process-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group.id: - dashed_name: process-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group.name: - dashed_name: process-group-name - description: Name of the group. - flat_name: process.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.args: - dashed_name: process-group-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.group_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.group_leader.args_count: - dashed_name: process-group-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.group_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.group_leader.attested_groups.domain: - dashed_name: process-group-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.attested_groups.id: - dashed_name: process-group-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.attested_groups.name: - dashed_name: process-group-leader-attested-groups-name - description: Name of the group. - flat_name: process.group_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.attested_user.domain: - dashed_name: process-group-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.group_leader.attested_user.email: - dashed_name: process-group-leader-attested-user-email - description: User email address. - flat_name: process.group_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.group_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.group_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.group_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.group_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.group_leader.attested_user.entity.id: - dashed_name: process-group-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.group_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.group_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.group_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.group_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.group_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.group_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.group_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.group_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.group_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.group_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.group_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.group_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.group_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.group_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.group_leader.attested_user.full_name: - dashed_name: process-group-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.group_leader.attested_user.group.domain: - dashed_name: process-group-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.attested_user.group.id: - dashed_name: process-group-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.attested_user.group.name: - dashed_name: process-group-leader-attested-user-group-name - description: Name of the group. - flat_name: process.group_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.attested_user.hash: - dashed_name: process-group-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.group_leader.attested_user.id: - dashed_name: process-group-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.group_leader.attested_user.name: - dashed_name: process-group-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.group_leader.attested_user.risk.calculated_level: - dashed_name: process-group-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.group_leader.attested_user.risk.calculated_score: - dashed_name: process-group-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.group_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-group-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.group_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.group_leader.attested_user.risk.static_level: - dashed_name: process-group-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.group_leader.attested_user.risk.static_score: - dashed_name: process-group-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.group_leader.attested_user.risk.static_score_norm: - dashed_name: process-group-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.group_leader.attested_user.roles: - dashed_name: process-group-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.group_leader.code_signature.digest_algorithm: - dashed_name: process-group-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.group_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.group_leader.code_signature.exists: - dashed_name: process-group-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.group_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.group_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.group_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.group_leader.code_signature.signing_id: - dashed_name: process-group-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.group_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.group_leader.code_signature.status: - dashed_name: process-group-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.group_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.group_leader.code_signature.subject_name: - dashed_name: process-group-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.group_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.group_leader.code_signature.team_id: - dashed_name: process-group-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.group_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.group_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.group_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.group_leader.code_signature.timestamp: - dashed_name: process-group-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.group_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.group_leader.code_signature.trusted: - dashed_name: process-group-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.group_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.group_leader.code_signature.valid: - dashed_name: process-group-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.group_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.group_leader.command_line: - dashed_name: process-group-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.group_leader.command_line - level: extended - multi_fields: - - flat_name: process.group_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.group_leader.elf.architecture: - dashed_name: process-group-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.group_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.group_leader.elf.byte_order: - dashed_name: process-group-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.group_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.group_leader.elf.cpu_type: - dashed_name: process-group-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.group_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.group_leader.elf.creation_date: - dashed_name: process-group-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.group_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.group_leader.elf.exports: - dashed_name: process-group-leader-elf-exports - description: List of exported element names and types. - flat_name: process.group_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.group_leader.elf.go_import_hash: - dashed_name: process-group-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.group_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.group_leader.elf.go_imports: - dashed_name: process-group-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.group_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.group_leader.elf.go_imports_names_entropy: - dashed_name: process-group-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.group_leader.elf.go_imports_names_var_entropy: - dashed_name: process-group-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.group_leader.elf.go_stripped: - dashed_name: process-group-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.group_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.group_leader.elf.header.abi_version: - dashed_name: process-group-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.group_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.group_leader.elf.header.class: - dashed_name: process-group-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.group_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.group_leader.elf.header.data: - dashed_name: process-group-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.group_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.group_leader.elf.header.entrypoint: - dashed_name: process-group-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.group_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.group_leader.elf.header.object_version: - dashed_name: process-group-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.group_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.group_leader.elf.header.os_abi: - dashed_name: process-group-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.group_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.group_leader.elf.header.type: - dashed_name: process-group-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.group_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.group_leader.elf.header.version: - dashed_name: process-group-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.group_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.group_leader.elf.import_hash: - dashed_name: process-group-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.group_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.group_leader.elf.imports: - dashed_name: process-group-leader-elf-imports - description: List of imported element names and types. - flat_name: process.group_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.group_leader.elf.imports_names_entropy: - dashed_name: process-group-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.group_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.group_leader.elf.imports_names_var_entropy: - dashed_name: process-group-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.group_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.group_leader.elf.sections: - dashed_name: process-group-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.group_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.group_leader.elf.sections.chi2: - dashed_name: process-group-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.group_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.group_leader.elf.sections.entropy: - dashed_name: process-group-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.group_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.group_leader.elf.sections.flags: - dashed_name: process-group-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.group_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.group_leader.elf.sections.name: - dashed_name: process-group-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.group_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.group_leader.elf.sections.physical_offset: - dashed_name: process-group-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.group_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.group_leader.elf.sections.physical_size: - dashed_name: process-group-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.group_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.group_leader.elf.sections.type: - dashed_name: process-group-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.group_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.group_leader.elf.sections.var_entropy: - dashed_name: process-group-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.group_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.group_leader.elf.sections.virtual_address: - dashed_name: process-group-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.group_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.group_leader.elf.sections.virtual_size: - dashed_name: process-group-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.group_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.group_leader.elf.segments: - dashed_name: process-group-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.group_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.group_leader.elf.segments.sections: - dashed_name: process-group-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.group_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.group_leader.elf.segments.type: - dashed_name: process-group-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.group_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.group_leader.elf.shared_libraries: - dashed_name: process-group-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.group_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.group_leader.elf.telfhash: - dashed_name: process-group-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.group_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.group_leader.end: - dashed_name: process-group-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.group_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.group_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.group_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.group_leader.entity_id: - dashed_name: process-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.group_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.group_leader.entry_meta.source.address: - dashed_name: process-group-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.group_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.group_leader.entry_meta.source.as.number: - dashed_name: process-group-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.group_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.group_leader.entry_meta.source.as.organization.name: - dashed_name: process-group-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.group_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.group_leader.entry_meta.source.bytes: - dashed_name: process-group-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.group_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.group_leader.entry_meta.source.domain: - dashed_name: process-group-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.group_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.group_leader.entry_meta.source.geo.city_name: - dashed_name: process-group-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.group_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.group_leader.entry_meta.source.geo.continent_code: - dashed_name: process-group-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.group_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.group_leader.entry_meta.source.geo.continent_name: - dashed_name: process-group-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.group_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.group_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.group_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.group_leader.entry_meta.source.geo.country_name: - dashed_name: process-group-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.group_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.group_leader.entry_meta.source.geo.location: - dashed_name: process-group-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.group_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.group_leader.entry_meta.source.geo.name: - dashed_name: process-group-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.group_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.group_leader.entry_meta.source.geo.postal_code: - dashed_name: process-group-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.group_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.group_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.group_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.group_leader.entry_meta.source.geo.region_name: - dashed_name: process-group-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.group_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.group_leader.entry_meta.source.geo.timezone: - dashed_name: process-group-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.group_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.group_leader.entry_meta.source.ip: - dashed_name: process-group-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.group_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.group_leader.entry_meta.source.mac: - dashed_name: process-group-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.group_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.group_leader.entry_meta.source.nat.ip: - dashed_name: process-group-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.group_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.group_leader.entry_meta.source.nat.port: - dashed_name: process-group-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.group_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.group_leader.entry_meta.source.packets: - dashed_name: process-group-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.group_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.group_leader.entry_meta.source.port: - dashed_name: process-group-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.group_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.group_leader.entry_meta.source.registered_domain: - dashed_name: process-group-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.group_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.group_leader.entry_meta.source.subdomain: - dashed_name: process-group-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.group_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.group_leader.entry_meta.source.top_level_domain: - dashed_name: process-group-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.group_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.group_leader.entry_meta.type: - dashed_name: process-group-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.group_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.group_leader.env_vars: - dashed_name: process-group-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.group_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.group_leader.executable: - dashed_name: process-group-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.group_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.group_leader.exit_code: - dashed_name: process-group-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.group_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.group_leader.group.domain: - dashed_name: process-group-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.group.id: - dashed_name: process-group-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.group.name: - dashed_name: process-group-leader-group-name - description: Name of the group. - flat_name: process.group_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.group_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.group_leader.hash.md5: - dashed_name: process-group-leader-hash-md5 - description: MD5 hash. - flat_name: process.group_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.group_leader.hash.sha1: - dashed_name: process-group-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.group_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.group_leader.hash.sha256: - dashed_name: process-group-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.group_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.group_leader.hash.sha384: - dashed_name: process-group-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.group_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.group_leader.hash.sha512: - dashed_name: process-group-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.group_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.group_leader.hash.ssdeep: - dashed_name: process-group-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.group_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.group_leader.hash.tlsh: - dashed_name: process-group-leader-hash-tlsh - description: TLSH hash. - flat_name: process.group_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.group_leader.interactive: - dashed_name: process-group-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.group_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.group_leader.io: - dashed_name: process-group-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.group_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.group_leader.io.bytes_skipped: - dashed_name: process-group-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.group_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.group_leader.io.bytes_skipped.length: - dashed_name: process-group-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.group_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.group_leader.io.bytes_skipped.offset: - dashed_name: process-group-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.group_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.group_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-group-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.group_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.group_leader.io.text: - dashed_name: process-group-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.group_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.group_leader.io.total_bytes_captured: - dashed_name: process-group-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.group_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.group_leader.io.total_bytes_skipped: - dashed_name: process-group-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.group_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.group_leader.io.type: - dashed_name: process-group-leader-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.group_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.group_leader.macho.go_import_hash: - dashed_name: process-group-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.group_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.group_leader.macho.go_imports: - dashed_name: process-group-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.group_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.group_leader.macho.go_imports_names_entropy: - dashed_name: process-group-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.group_leader.macho.go_imports_names_var_entropy: - dashed_name: process-group-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.group_leader.macho.go_stripped: - dashed_name: process-group-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.group_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.group_leader.macho.import_hash: - dashed_name: process-group-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.group_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.group_leader.macho.imports: - dashed_name: process-group-leader-macho-imports - description: List of imported element names and types. - flat_name: process.group_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.group_leader.macho.imports_names_entropy: - dashed_name: process-group-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.group_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.group_leader.macho.imports_names_var_entropy: - dashed_name: process-group-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.group_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.group_leader.macho.sections: - dashed_name: process-group-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.group_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.group_leader.macho.sections.entropy: - dashed_name: process-group-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.group_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.group_leader.macho.sections.name: - dashed_name: process-group-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.group_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.group_leader.macho.sections.physical_size: - dashed_name: process-group-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.group_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.group_leader.macho.sections.var_entropy: - dashed_name: process-group-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.group_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.group_leader.macho.sections.virtual_size: - dashed_name: process-group-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.group_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.group_leader.macho.symhash: - dashed_name: process-group-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.group_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.group_leader.name: - dashed_name: process-group-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.group_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.group_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.group_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.group_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.group_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.group_leader.pe.architecture: - dashed_name: process-group-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.group_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.group_leader.pe.company: - dashed_name: process-group-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.group_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.group_leader.pe.description: - dashed_name: process-group-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.group_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.group_leader.pe.file_version: - dashed_name: process-group-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.group_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.group_leader.pe.go_import_hash: - dashed_name: process-group-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.group_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.group_leader.pe.go_imports: - dashed_name: process-group-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.group_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.group_leader.pe.go_imports_names_entropy: - dashed_name: process-group-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.group_leader.pe.go_imports_names_var_entropy: - dashed_name: process-group-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.group_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.group_leader.pe.go_stripped: - dashed_name: process-group-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.group_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.group_leader.pe.imphash: - dashed_name: process-group-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.group_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.group_leader.pe.import_hash: - dashed_name: process-group-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.group_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.group_leader.pe.imports: - dashed_name: process-group-leader-pe-imports - description: List of imported element names and types. - flat_name: process.group_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.group_leader.pe.imports_names_entropy: - dashed_name: process-group-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.group_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.group_leader.pe.imports_names_var_entropy: - dashed_name: process-group-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.group_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.group_leader.pe.original_file_name: - dashed_name: process-group-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.group_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.group_leader.pe.pehash: - dashed_name: process-group-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.group_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.group_leader.pe.product: - dashed_name: process-group-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.group_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.group_leader.pe.sections: - dashed_name: process-group-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.group_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.group_leader.pe.sections.entropy: - dashed_name: process-group-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.group_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.group_leader.pe.sections.name: - dashed_name: process-group-leader-pe-sections-name - description: PE Section List name. - flat_name: process.group_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.group_leader.pe.sections.physical_size: - dashed_name: process-group-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.group_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.group_leader.pe.sections.var_entropy: - dashed_name: process-group-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.group_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.group_leader.pe.sections.virtual_size: - dashed_name: process-group-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.group_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.group_leader.pid: - dashed_name: process-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.group_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - otel: - - relation: match - short: Process id. - type: long - process.group_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.group_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.group_leader.real_group.domain: - dashed_name: process-group-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.real_group.id: - dashed_name: process-group-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.real_group.name: - dashed_name: process-group-leader-real-group-name - description: Name of the group. - flat_name: process.group_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.real_user.domain: - dashed_name: process-group-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.group_leader.real_user.email: - dashed_name: process-group-leader-real-user-email - description: User email address. - flat_name: process.group_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.group_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.group_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.group_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.group_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.group_leader.real_user.entity.id: - dashed_name: process-group-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.group_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.group_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.group_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.group_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.group_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.group_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.group_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.group_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.group_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.group_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.group_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.group_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.group_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.group_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.group_leader.real_user.full_name: - dashed_name: process-group-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.group_leader.real_user.group.domain: - dashed_name: process-group-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.real_user.group.id: - dashed_name: process-group-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.real_user.group.name: - dashed_name: process-group-leader-real-user-group-name - description: Name of the group. - flat_name: process.group_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.real_user.hash: - dashed_name: process-group-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.group_leader.real_user.id: - dashed_name: process-group-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.group_leader.real_user.name: - dashed_name: process-group-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.group_leader.real_user.risk.calculated_level: - dashed_name: process-group-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.group_leader.real_user.risk.calculated_score: - dashed_name: process-group-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.group_leader.real_user.risk.calculated_score_norm: - dashed_name: process-group-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.group_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.group_leader.real_user.risk.static_level: - dashed_name: process-group-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.group_leader.real_user.risk.static_score: - dashed_name: process-group-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.group_leader.real_user.risk.static_score_norm: - dashed_name: process-group-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.group_leader.real_user.roles: - dashed_name: process-group-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.group_leader.same_as_process: - dashed_name: process-group-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.group_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.group_leader.saved_group.domain: - dashed_name: process-group-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.saved_group.id: - dashed_name: process-group-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.saved_group.name: - dashed_name: process-group-leader-saved-group-name - description: Name of the group. - flat_name: process.group_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.saved_user.domain: - dashed_name: process-group-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.group_leader.saved_user.email: - dashed_name: process-group-leader-saved-user-email - description: User email address. - flat_name: process.group_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.group_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.group_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.group_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.group_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.group_leader.saved_user.entity.id: - dashed_name: process-group-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.group_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.group_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.group_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.group_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.group_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.group_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.group_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.group_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.group_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.group_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.group_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.group_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.group_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.group_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.group_leader.saved_user.full_name: - dashed_name: process-group-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.group_leader.saved_user.group.domain: - dashed_name: process-group-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.saved_user.group.id: - dashed_name: process-group-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.saved_user.group.name: - dashed_name: process-group-leader-saved-user-group-name - description: Name of the group. - flat_name: process.group_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.saved_user.hash: - dashed_name: process-group-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.group_leader.saved_user.id: - dashed_name: process-group-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.group_leader.saved_user.name: - dashed_name: process-group-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.group_leader.saved_user.risk.calculated_level: - dashed_name: process-group-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.group_leader.saved_user.risk.calculated_score: - dashed_name: process-group-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.group_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-group-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.group_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.group_leader.saved_user.risk.static_level: - dashed_name: process-group-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.group_leader.saved_user.risk.static_score: - dashed_name: process-group-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.group_leader.saved_user.risk.static_score_norm: - dashed_name: process-group-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.group_leader.saved_user.roles: - dashed_name: process-group-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.group_leader.start: - dashed_name: process-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.group_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.group_leader.supplemental_groups.domain: - dashed_name: process-group-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.supplemental_groups.id: - dashed_name: process-group-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.supplemental_groups.name: - dashed_name: process-group-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.group_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.thread.capabilities.effective: - dashed_name: process-group-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.group_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.group_leader.thread.capabilities.permitted: - dashed_name: process-group-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.group_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.group_leader.thread.id: - dashed_name: process-group-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.group_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.group_leader.thread.name: - dashed_name: process-group-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.group_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.group_leader.title: - dashed_name: process-group-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.group_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.group_leader.tty: - dashed_name: process-group-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.group_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.group_leader.tty.char_device.major: - dashed_name: process-group-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.group_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.group_leader.tty.char_device.minor: - dashed_name: process-group-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.group_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.group_leader.tty.columns: - dashed_name: process-group-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.group_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.group_leader.tty.rows: - dashed_name: process-group-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.group_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.group_leader.uptime: - dashed_name: process-group-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.group_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.group_leader.user.domain: - dashed_name: process-group-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.group_leader.user.email: - dashed_name: process-group-leader-user-email - description: User email address. - flat_name: process.group_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.group_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.group_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.group_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.group_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.group_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.group_leader.user.entity.id: - dashed_name: process-group-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.group_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.group_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.group_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.group_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.group_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.group_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.group_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.group_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.group_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.group_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.group_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.group_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.group_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.group_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.group_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.group_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.group_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.group_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-group-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.group_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.group_leader.user.full_name: - dashed_name: process-group-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.group_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.group_leader.user.group.domain: - dashed_name: process-group-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.group_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.group_leader.user.group.id: - dashed_name: process-group-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.group_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.group_leader.user.group.name: - dashed_name: process-group-leader-user-group-name - description: Name of the group. - flat_name: process.group_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.group_leader.user.hash: - dashed_name: process-group-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.group_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.group_leader.user.id: - dashed_name: process-group-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.group_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.group_leader.user.name: - dashed_name: process-group-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.group_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.group_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.group_leader.user.risk.calculated_level: - dashed_name: process-group-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.group_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.group_leader.user.risk.calculated_score: - dashed_name: process-group-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.group_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.group_leader.user.risk.calculated_score_norm: - dashed_name: process-group-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.group_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.group_leader.user.risk.static_level: - dashed_name: process-group-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.group_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.group_leader.user.risk.static_score: - dashed_name: process-group-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.group_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.group_leader.user.risk.static_score_norm: - dashed_name: process-group-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.group_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.group_leader.user.roles: - dashed_name: process-group-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.group_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.group_leader.vpid: - dashed_name: process-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.group_leader.working_directory: - dashed_name: process-group-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.group_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.group_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.hash.md5: - dashed_name: process-hash-md5 - description: MD5 hash. - flat_name: process.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.hash.sha1: - dashed_name: process-hash-sha1 - description: SHA1 hash. - flat_name: process.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.hash.sha256: - dashed_name: process-hash-sha256 - description: SHA256 hash. - flat_name: process.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.hash.sha384: - dashed_name: process-hash-sha384 - description: SHA384 hash. - flat_name: process.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.hash.sha512: - dashed_name: process-hash-sha512 - description: SHA512 hash. - flat_name: process.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.hash.ssdeep: - dashed_name: process-hash-ssdeep - description: SSDEEP hash. - flat_name: process.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.hash.tlsh: - dashed_name: process-hash-tlsh - description: TLSH hash. - flat_name: process.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.interactive: - dashed_name: process-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.interactive - level: extended - name: interactive - normalize: [] - otel: - - relation: match - short: Whether the process is connected to an interactive shell. - type: boolean - process.io: - dashed_name: process-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.io - level: extended - name: io - normalize: [] - short: A chunk of input or output (IO) from a single process. - type: object - process.io.bytes_skipped: - dashed_name: process-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.io.bytes_skipped.length: - dashed_name: process-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - short: The length of bytes skipped. - type: long - process.io.bytes_skipped.offset: - dashed_name: process-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.io.max_bytes_per_process_exceeded: - dashed_name: process-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.io.text: - dashed_name: process-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.io.text - level: extended - name: io.text - normalize: [] - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.io.total_bytes_captured: - dashed_name: process-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - short: The total number of bytes captured in this event. - type: long - process.io.total_bytes_skipped: - dashed_name: process-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.io.type: - dashed_name: process-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.macho.go_import_hash: - dashed_name: process-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.macho.go_imports: - dashed_name: process-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.macho.go_imports_names_entropy: - dashed_name: process-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.macho.go_imports_names_var_entropy: - dashed_name: process-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.macho.go_stripped: - dashed_name: process-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.macho.import_hash: - dashed_name: process-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.macho.imports: - dashed_name: process-macho-imports - description: List of imported element names and types. - flat_name: process.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.macho.imports_names_entropy: - dashed_name: process-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.macho.imports_names_var_entropy: - dashed_name: process-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.macho.sections: - dashed_name: process-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.macho.sections.entropy: - dashed_name: process-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.macho.sections.name: - dashed_name: process-macho-sections-name - description: Mach-O Section List name. - flat_name: process.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.macho.sections.physical_size: - dashed_name: process-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.macho.sections.var_entropy: - dashed_name: process-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.macho.sections.virtual_size: - dashed_name: process-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.macho.symhash: - dashed_name: process-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.name: - dashed_name: process-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.name.text - name: text - type: match_only_text - name: name - normalize: [] - short: Process name. - type: keyword - process.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - short: The URL where the process's executable file is hosted. - type: keyword - process.parent.args: - dashed_name: process-parent-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.parent.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.parent.args_count: - dashed_name: process-parent-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.parent.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.parent.attested_groups.domain: - dashed_name: process-parent-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.attested_groups.id: - dashed_name: process-parent-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.attested_groups.name: - dashed_name: process-parent-attested-groups-name - description: Name of the group. - flat_name: process.parent.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.attested_user.domain: - dashed_name: process-parent-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.attested_user.email: - dashed_name: process-parent-attested-user-email - description: User email address. - flat_name: process.parent.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.attested_user.entity.id: - dashed_name: process-parent-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.attested_user.full_name: - dashed_name: process-parent-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.attested_user.group.domain: - dashed_name: process-parent-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.attested_user.group.id: - dashed_name: process-parent-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.attested_user.group.name: - dashed_name: process-parent-attested-user-group-name - description: Name of the group. - flat_name: process.parent.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.attested_user.hash: - dashed_name: process-parent-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.attested_user.id: - dashed_name: process-parent-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.attested_user.name: - dashed_name: process-parent-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.attested_user.risk.calculated_level: - dashed_name: process-parent-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.attested_user.risk.calculated_score: - dashed_name: process-parent-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.attested_user.risk.calculated_score_norm: - dashed_name: process-parent-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.attested_user.risk.static_level: - dashed_name: process-parent-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.attested_user.risk.static_score: - dashed_name: process-parent-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.attested_user.risk.static_score_norm: - dashed_name: process-parent-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.attested_user.roles: - dashed_name: process-parent-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.code_signature.digest_algorithm: - dashed_name: process-parent-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.parent.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.parent.code_signature.exists: - dashed_name: process-parent-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.parent.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.parent.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.parent.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.parent.code_signature.signing_id: - dashed_name: process-parent-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.parent.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.parent.code_signature.status: - dashed_name: process-parent-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.parent.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.parent.code_signature.subject_name: - dashed_name: process-parent-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.parent.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.parent.code_signature.team_id: - dashed_name: process-parent-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.parent.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.parent.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-parent-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.parent.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.parent.code_signature.timestamp: - dashed_name: process-parent-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.parent.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.parent.code_signature.trusted: - dashed_name: process-parent-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.parent.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.parent.code_signature.valid: - dashed_name: process-parent-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.parent.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.parent.command_line: - dashed_name: process-parent-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.parent.command_line - level: extended - multi_fields: - - flat_name: process.parent.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.parent.elf.architecture: - dashed_name: process-parent-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.parent.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.parent.elf.byte_order: - dashed_name: process-parent-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.parent.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.parent.elf.cpu_type: - dashed_name: process-parent-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.parent.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.parent.elf.creation_date: - dashed_name: process-parent-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.parent.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.parent.elf.exports: - dashed_name: process-parent-elf-exports - description: List of exported element names and types. - flat_name: process.parent.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.parent.elf.go_import_hash: - dashed_name: process-parent-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.parent.elf.go_imports: - dashed_name: process-parent-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.parent.elf.go_imports_names_entropy: - dashed_name: process-parent-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.elf.go_imports_names_var_entropy: - dashed_name: process-parent-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.elf.go_stripped: - dashed_name: process-parent-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.elf.header.abi_version: - dashed_name: process-parent-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.parent.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.parent.elf.header.class: - dashed_name: process-parent-elf-header-class - description: Header class of the ELF file. - flat_name: process.parent.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.parent.elf.header.data: - dashed_name: process-parent-elf-header-data - description: Data table of the ELF header. - flat_name: process.parent.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.parent.elf.header.entrypoint: - dashed_name: process-parent-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.parent.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.parent.elf.header.object_version: - dashed_name: process-parent-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.parent.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.parent.elf.header.os_abi: - dashed_name: process-parent-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.parent.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.parent.elf.header.type: - dashed_name: process-parent-elf-header-type - description: Header type of the ELF file. - flat_name: process.parent.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.parent.elf.header.version: - dashed_name: process-parent-elf-header-version - description: Version of the ELF header. - flat_name: process.parent.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.parent.elf.import_hash: - dashed_name: process-parent-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.parent.elf.imports: - dashed_name: process-parent-elf-imports - description: List of imported element names and types. - flat_name: process.parent.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.parent.elf.imports_names_entropy: - dashed_name: process-parent-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.elf.imports_names_var_entropy: - dashed_name: process-parent-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.elf.sections: - dashed_name: process-parent-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.parent.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.parent.elf.sections.chi2: - dashed_name: process-parent-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.parent.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.parent.elf.sections.entropy: - dashed_name: process-parent-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.parent.elf.sections.flags: - dashed_name: process-parent-elf-sections-flags - description: ELF Section List flags. - flat_name: process.parent.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.parent.elf.sections.name: - dashed_name: process-parent-elf-sections-name - description: ELF Section List name. - flat_name: process.parent.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.parent.elf.sections.physical_offset: - dashed_name: process-parent-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.parent.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.parent.elf.sections.physical_size: - dashed_name: process-parent-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.parent.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.parent.elf.sections.type: - dashed_name: process-parent-elf-sections-type - description: ELF Section List type. - flat_name: process.parent.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.parent.elf.sections.var_entropy: - dashed_name: process-parent-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.elf.sections.virtual_address: - dashed_name: process-parent-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.parent.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.parent.elf.sections.virtual_size: - dashed_name: process-parent-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.parent.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.parent.elf.segments: - dashed_name: process-parent-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.parent.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.parent.elf.segments.sections: - dashed_name: process-parent-elf-segments-sections - description: ELF object segment sections. - flat_name: process.parent.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.parent.elf.segments.type: - dashed_name: process-parent-elf-segments-type - description: ELF object segment type. - flat_name: process.parent.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.parent.elf.shared_libraries: - dashed_name: process-parent-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.parent.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.parent.elf.telfhash: - dashed_name: process-parent-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.parent.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.parent.end: - dashed_name: process-parent-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.parent.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-parent-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.parent.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.parent.entity_id: - dashed_name: process-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.parent.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.parent.entry_meta.source.address: - dashed_name: process-parent-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.parent.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.parent.entry_meta.source.as.number: - dashed_name: process-parent-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.parent.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.parent.entry_meta.source.as.organization.name: - dashed_name: process-parent-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.parent.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.parent.entry_meta.source.bytes: - dashed_name: process-parent-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.parent.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.parent.entry_meta.source.domain: - dashed_name: process-parent-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.parent.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.parent.entry_meta.source.geo.city_name: - dashed_name: process-parent-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.parent.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.parent.entry_meta.source.geo.continent_code: - dashed_name: process-parent-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.parent.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.parent.entry_meta.source.geo.continent_name: - dashed_name: process-parent-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.parent.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.parent.entry_meta.source.geo.country_iso_code: - dashed_name: process-parent-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.parent.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.parent.entry_meta.source.geo.country_name: - dashed_name: process-parent-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.parent.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.parent.entry_meta.source.geo.location: - dashed_name: process-parent-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.parent.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.parent.entry_meta.source.geo.name: - dashed_name: process-parent-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.parent.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.parent.entry_meta.source.geo.postal_code: - dashed_name: process-parent-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.parent.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.parent.entry_meta.source.geo.region_iso_code: - dashed_name: process-parent-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.parent.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.parent.entry_meta.source.geo.region_name: - dashed_name: process-parent-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.parent.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.parent.entry_meta.source.geo.timezone: - dashed_name: process-parent-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.parent.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.parent.entry_meta.source.ip: - dashed_name: process-parent-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.parent.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.parent.entry_meta.source.mac: - dashed_name: process-parent-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.parent.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.parent.entry_meta.source.nat.ip: - dashed_name: process-parent-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.parent.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.parent.entry_meta.source.nat.port: - dashed_name: process-parent-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.parent.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.parent.entry_meta.source.packets: - dashed_name: process-parent-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.parent.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.parent.entry_meta.source.port: - dashed_name: process-parent-entry-meta-source-port - description: Port of the source. - flat_name: process.parent.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.parent.entry_meta.source.registered_domain: - dashed_name: process-parent-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.parent.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.parent.entry_meta.source.subdomain: - dashed_name: process-parent-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.parent.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.parent.entry_meta.source.top_level_domain: - dashed_name: process-parent-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.parent.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.parent.entry_meta.type: - dashed_name: process-parent-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.parent.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.parent.env_vars: - dashed_name: process-parent-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.parent.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.parent.executable: - dashed_name: process-parent-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.parent.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.parent.exit_code: - dashed_name: process-parent-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.parent.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.parent.group.domain: - dashed_name: process-parent-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group.id: - dashed_name: process-parent-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group.name: - dashed_name: process-parent-group-name - description: Name of the group. - flat_name: process.parent.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.args: - dashed_name: process-parent-group-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.parent.group_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.parent.group_leader.args_count: - dashed_name: process-parent-group-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.parent.group_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.parent.group_leader.attested_groups.domain: - dashed_name: process-parent-group-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.attested_groups.id: - dashed_name: process-parent-group-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.attested_groups.name: - dashed_name: process-parent-group-leader-attested-groups-name - description: Name of the group. - flat_name: process.parent.group_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.attested_user.domain: - dashed_name: process-parent-group-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.group_leader.attested_user.email: - dashed_name: process-parent-group-leader-attested-user-email - description: User email address. - flat_name: process.parent.group_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.group_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.group_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.group_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.group_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.group_leader.attested_user.entity.id: - dashed_name: process-parent-group-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.group_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.group_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.group_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.group_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.group_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.group_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.group_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.group_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.group_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.group_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.group_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.group_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.group_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.group_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.group_leader.attested_user.full_name: - dashed_name: process-parent-group-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.group_leader.attested_user.group.domain: - dashed_name: process-parent-group-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.attested_user.group.id: - dashed_name: process-parent-group-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.attested_user.group.name: - dashed_name: process-parent-group-leader-attested-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.attested_user.hash: - dashed_name: process-parent-group-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.group_leader.attested_user.id: - dashed_name: process-parent-group-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.group_leader.attested_user.name: - dashed_name: process-parent-group-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.group_leader.attested_user.risk.calculated_level: - dashed_name: process-parent-group-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.group_leader.attested_user.risk.calculated_score: - dashed_name: process-parent-group-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.group_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.group_leader.attested_user.risk.static_level: - dashed_name: process-parent-group-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.group_leader.attested_user.risk.static_score: - dashed_name: process-parent-group-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.group_leader.attested_user.risk.static_score_norm: - dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.group_leader.attested_user.roles: - dashed_name: process-parent-group-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.code_signature.digest_algorithm: - dashed_name: process-parent-group-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.parent.group_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.parent.group_leader.code_signature.exists: - dashed_name: process-parent-group-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.parent.group_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.parent.group_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.parent.group_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.parent.group_leader.code_signature.signing_id: - dashed_name: process-parent-group-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.parent.group_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.parent.group_leader.code_signature.status: - dashed_name: process-parent-group-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.parent.group_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.parent.group_leader.code_signature.subject_name: - dashed_name: process-parent-group-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.parent.group_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.parent.group_leader.code_signature.team_id: - dashed_name: process-parent-group-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.parent.group_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.parent.group_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.parent.group_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.parent.group_leader.code_signature.timestamp: - dashed_name: process-parent-group-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.parent.group_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.parent.group_leader.code_signature.trusted: - dashed_name: process-parent-group-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.parent.group_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.parent.group_leader.code_signature.valid: - dashed_name: process-parent-group-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.parent.group_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.parent.group_leader.command_line: - dashed_name: process-parent-group-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.parent.group_leader.command_line - level: extended - multi_fields: - - flat_name: process.parent.group_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.parent.group_leader.elf.architecture: - dashed_name: process-parent-group-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.parent.group_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.parent.group_leader.elf.byte_order: - dashed_name: process-parent-group-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.parent.group_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.parent.group_leader.elf.cpu_type: - dashed_name: process-parent-group-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.parent.group_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.parent.group_leader.elf.creation_date: - dashed_name: process-parent-group-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.parent.group_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.parent.group_leader.elf.exports: - dashed_name: process-parent-group-leader-elf-exports - description: List of exported element names and types. - flat_name: process.parent.group_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.parent.group_leader.elf.go_import_hash: - dashed_name: process-parent-group-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.group_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.parent.group_leader.elf.go_imports: - dashed_name: process-parent-group-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.group_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.parent.group_leader.elf.go_imports_names_entropy: - dashed_name: process-parent-group-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.group_leader.elf.go_imports_names_var_entropy: - dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.group_leader.elf.go_stripped: - dashed_name: process-parent-group-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.group_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.group_leader.elf.header.abi_version: - dashed_name: process-parent-group-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.parent.group_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.parent.group_leader.elf.header.class: - dashed_name: process-parent-group-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.parent.group_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.parent.group_leader.elf.header.data: - dashed_name: process-parent-group-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.parent.group_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.parent.group_leader.elf.header.entrypoint: - dashed_name: process-parent-group-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.parent.group_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.parent.group_leader.elf.header.object_version: - dashed_name: process-parent-group-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.parent.group_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.parent.group_leader.elf.header.os_abi: - dashed_name: process-parent-group-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.parent.group_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.parent.group_leader.elf.header.type: - dashed_name: process-parent-group-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.parent.group_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.parent.group_leader.elf.header.version: - dashed_name: process-parent-group-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.parent.group_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.parent.group_leader.elf.import_hash: - dashed_name: process-parent-group-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.group_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.parent.group_leader.elf.imports: - dashed_name: process-parent-group-leader-elf-imports - description: List of imported element names and types. - flat_name: process.parent.group_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.parent.group_leader.elf.imports_names_entropy: - dashed_name: process-parent-group-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.group_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.group_leader.elf.imports_names_var_entropy: - dashed_name: process-parent-group-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.group_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.group_leader.elf.sections: - dashed_name: process-parent-group-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.parent.group_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.parent.group_leader.elf.sections.chi2: - dashed_name: process-parent-group-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.parent.group_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.parent.group_leader.elf.sections.entropy: - dashed_name: process-parent-group-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.parent.group_leader.elf.sections.flags: - dashed_name: process-parent-group-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.parent.group_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.parent.group_leader.elf.sections.name: - dashed_name: process-parent-group-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.parent.group_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.parent.group_leader.elf.sections.physical_offset: - dashed_name: process-parent-group-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.parent.group_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.parent.group_leader.elf.sections.physical_size: - dashed_name: process-parent-group-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.parent.group_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.parent.group_leader.elf.sections.type: - dashed_name: process-parent-group-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.parent.group_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.parent.group_leader.elf.sections.var_entropy: - dashed_name: process-parent-group-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.group_leader.elf.sections.virtual_address: - dashed_name: process-parent-group-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.parent.group_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.parent.group_leader.elf.sections.virtual_size: - dashed_name: process-parent-group-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.parent.group_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.parent.group_leader.elf.segments: - dashed_name: process-parent-group-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.parent.group_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.parent.group_leader.elf.segments.sections: - dashed_name: process-parent-group-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.parent.group_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.parent.group_leader.elf.segments.type: - dashed_name: process-parent-group-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.parent.group_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.parent.group_leader.elf.shared_libraries: - dashed_name: process-parent-group-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.parent.group_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.parent.group_leader.elf.telfhash: - dashed_name: process-parent-group-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.parent.group_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.parent.group_leader.end: - dashed_name: process-parent-group-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.group_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.parent.group_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.parent.group_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.parent.group_leader.entity_id: - dashed_name: process-parent-group-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.parent.group_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.parent.group_leader.entry_meta.source.address: - dashed_name: process-parent-group-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.parent.group_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.parent.group_leader.entry_meta.source.as.number: - dashed_name: process-parent-group-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.parent.group_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.parent.group_leader.entry_meta.source.as.organization.name: - dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.parent.group_leader.entry_meta.source.bytes: - dashed_name: process-parent-group-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.parent.group_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.parent.group_leader.entry_meta.source.domain: - dashed_name: process-parent-group-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.parent.group_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.parent.group_leader.entry_meta.source.geo.city_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.parent.group_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.parent.group_leader.entry_meta.source.geo.continent_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.parent.group_leader.entry_meta.source.geo.continent_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.parent.group_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.parent.group_leader.entry_meta.source.geo.country_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.parent.group_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.parent.group_leader.entry_meta.source.geo.location: - dashed_name: process-parent-group-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.parent.group_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.parent.group_leader.entry_meta.source.geo.name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.parent.group_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.parent.group_leader.entry_meta.source.geo.postal_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.parent.group_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.parent.group_leader.entry_meta.source.geo.region_name: - dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.parent.group_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.parent.group_leader.entry_meta.source.geo.timezone: - dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.parent.group_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.parent.group_leader.entry_meta.source.ip: - dashed_name: process-parent-group-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.parent.group_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.parent.group_leader.entry_meta.source.mac: - dashed_name: process-parent-group-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.parent.group_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.parent.group_leader.entry_meta.source.nat.ip: - dashed_name: process-parent-group-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.parent.group_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.parent.group_leader.entry_meta.source.nat.port: - dashed_name: process-parent-group-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.parent.group_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.parent.group_leader.entry_meta.source.packets: - dashed_name: process-parent-group-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.parent.group_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.parent.group_leader.entry_meta.source.port: - dashed_name: process-parent-group-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.parent.group_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.parent.group_leader.entry_meta.source.registered_domain: - dashed_name: process-parent-group-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.parent.group_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.parent.group_leader.entry_meta.source.subdomain: - dashed_name: process-parent-group-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.parent.group_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.parent.group_leader.entry_meta.source.top_level_domain: - dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.parent.group_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.parent.group_leader.entry_meta.type: - dashed_name: process-parent-group-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.parent.group_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.parent.group_leader.env_vars: - dashed_name: process-parent-group-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.parent.group_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.executable: - dashed_name: process-parent-group-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.parent.group_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.parent.group_leader.exit_code: - dashed_name: process-parent-group-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.parent.group_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.parent.group_leader.group.domain: - dashed_name: process-parent-group-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.group.id: - dashed_name: process-parent-group-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.group.name: - dashed_name: process-parent-group-leader-group-name - description: Name of the group. - flat_name: process.parent.group_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.parent.group_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.parent.group_leader.hash.md5: - dashed_name: process-parent-group-leader-hash-md5 - description: MD5 hash. - flat_name: process.parent.group_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.parent.group_leader.hash.sha1: - dashed_name: process-parent-group-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.parent.group_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.parent.group_leader.hash.sha256: - dashed_name: process-parent-group-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.parent.group_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.parent.group_leader.hash.sha384: - dashed_name: process-parent-group-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.parent.group_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.parent.group_leader.hash.sha512: - dashed_name: process-parent-group-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.parent.group_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.parent.group_leader.hash.ssdeep: - dashed_name: process-parent-group-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.parent.group_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.parent.group_leader.hash.tlsh: - dashed_name: process-parent-group-leader-hash-tlsh - description: TLSH hash. - flat_name: process.parent.group_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.parent.group_leader.interactive: - dashed_name: process-parent-group-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.parent.group_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.parent.group_leader.io: - dashed_name: process-parent-group-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.parent.group_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.parent.group_leader.io.bytes_skipped: - dashed_name: process-parent-group-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.parent.group_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.parent.group_leader.io.bytes_skipped.length: - dashed_name: process-parent-group-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.parent.group_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.parent.group_leader.io.bytes_skipped.offset: - dashed_name: process-parent-group-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.parent.group_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.parent.group_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.parent.group_leader.io.text: - dashed_name: process-parent-group-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.parent.group_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.parent.group_leader.io.total_bytes_captured: - dashed_name: process-parent-group-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.parent.group_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.parent.group_leader.io.total_bytes_skipped: - dashed_name: process-parent-group-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.parent.group_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.parent.group_leader.io.type: - dashed_name: process-parent-group-leader-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.parent.group_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.parent.group_leader.macho.go_import_hash: - dashed_name: process-parent-group-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.group_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.parent.group_leader.macho.go_imports: - dashed_name: process-parent-group-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.group_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.parent.group_leader.macho.go_imports_names_entropy: - dashed_name: process-parent-group-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.group_leader.macho.go_imports_names_var_entropy: - dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.group_leader.macho.go_stripped: - dashed_name: process-parent-group-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.group_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.group_leader.macho.import_hash: - dashed_name: process-parent-group-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.group_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.parent.group_leader.macho.imports: - dashed_name: process-parent-group-leader-macho-imports - description: List of imported element names and types. - flat_name: process.parent.group_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.parent.group_leader.macho.imports_names_entropy: - dashed_name: process-parent-group-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.group_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.group_leader.macho.imports_names_var_entropy: - dashed_name: process-parent-group-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.group_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.group_leader.macho.sections: - dashed_name: process-parent-group-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.parent.group_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.parent.group_leader.macho.sections.entropy: - dashed_name: process-parent-group-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.parent.group_leader.macho.sections.name: - dashed_name: process-parent-group-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.parent.group_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.parent.group_leader.macho.sections.physical_size: - dashed_name: process-parent-group-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.parent.group_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.parent.group_leader.macho.sections.var_entropy: - dashed_name: process-parent-group-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.group_leader.macho.sections.virtual_size: - dashed_name: process-parent-group-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.group_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.parent.group_leader.macho.symhash: - dashed_name: process-parent-group-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.parent.group_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.parent.group_leader.name: - dashed_name: process-parent-group-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.parent.group_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.parent.group_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.parent.group_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.parent.group_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.parent.group_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.parent.group_leader.pe.architecture: - dashed_name: process-parent-group-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.parent.group_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.parent.group_leader.pe.company: - dashed_name: process-parent-group-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.parent.group_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.parent.group_leader.pe.description: - dashed_name: process-parent-group-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.group_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.parent.group_leader.pe.file_version: - dashed_name: process-parent-group-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.group_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.parent.group_leader.pe.go_import_hash: - dashed_name: process-parent-group-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.group_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.parent.group_leader.pe.go_imports: - dashed_name: process-parent-group-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.group_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.parent.group_leader.pe.go_imports_names_entropy: - dashed_name: process-parent-group-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.group_leader.pe.go_imports_names_var_entropy: - dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.group_leader.pe.go_stripped: - dashed_name: process-parent-group-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.group_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.group_leader.pe.imphash: - dashed_name: process-parent-group-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.group_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.parent.group_leader.pe.import_hash: - dashed_name: process-parent-group-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.group_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.parent.group_leader.pe.imports: - dashed_name: process-parent-group-leader-pe-imports - description: List of imported element names and types. - flat_name: process.parent.group_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.parent.group_leader.pe.imports_names_entropy: - dashed_name: process-parent-group-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.group_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.group_leader.pe.imports_names_var_entropy: - dashed_name: process-parent-group-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.group_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.group_leader.pe.original_file_name: - dashed_name: process-parent-group-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.parent.group_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.parent.group_leader.pe.pehash: - dashed_name: process-parent-group-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.parent.group_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.parent.group_leader.pe.product: - dashed_name: process-parent-group-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.parent.group_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.parent.group_leader.pe.sections: - dashed_name: process-parent-group-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.parent.group_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.parent.group_leader.pe.sections.entropy: - dashed_name: process-parent-group-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.parent.group_leader.pe.sections.name: - dashed_name: process-parent-group-leader-pe-sections-name - description: PE Section List name. - flat_name: process.parent.group_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.parent.group_leader.pe.sections.physical_size: - dashed_name: process-parent-group-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.parent.group_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.parent.group_leader.pe.sections.var_entropy: - dashed_name: process-parent-group-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.group_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.group_leader.pe.sections.virtual_size: - dashed_name: process-parent-group-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.group_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.parent.group_leader.pid: - dashed_name: process-parent-group-leader-pid - description: Process id. - example: 4242 - flat_name: process.parent.group_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.parent.group_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.parent.group_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.parent.group_leader.real_group.domain: - dashed_name: process-parent-group-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.real_group.id: - dashed_name: process-parent-group-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.real_group.name: - dashed_name: process-parent-group-leader-real-group-name - description: Name of the group. - flat_name: process.parent.group_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.real_user.domain: - dashed_name: process-parent-group-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.group_leader.real_user.email: - dashed_name: process-parent-group-leader-real-user-email - description: User email address. - flat_name: process.parent.group_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.group_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.group_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.group_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.group_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.group_leader.real_user.entity.id: - dashed_name: process-parent-group-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.group_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.group_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.group_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.group_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.group_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.group_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.group_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.group_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.group_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.group_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.group_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.group_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.group_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.group_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.group_leader.real_user.full_name: - dashed_name: process-parent-group-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.group_leader.real_user.group.domain: - dashed_name: process-parent-group-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.real_user.group.id: - dashed_name: process-parent-group-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.real_user.group.name: - dashed_name: process-parent-group-leader-real-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.real_user.hash: - dashed_name: process-parent-group-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.group_leader.real_user.id: - dashed_name: process-parent-group-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.group_leader.real_user.name: - dashed_name: process-parent-group-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.group_leader.real_user.risk.calculated_level: - dashed_name: process-parent-group-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.group_leader.real_user.risk.calculated_score: - dashed_name: process-parent-group-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.group_leader.real_user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.group_leader.real_user.risk.static_level: - dashed_name: process-parent-group-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.group_leader.real_user.risk.static_score: - dashed_name: process-parent-group-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.group_leader.real_user.risk.static_score_norm: - dashed_name: process-parent-group-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.group_leader.real_user.roles: - dashed_name: process-parent-group-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.same_as_process: - dashed_name: process-parent-group-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.parent.group_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.parent.group_leader.saved_group.domain: - dashed_name: process-parent-group-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.saved_group.id: - dashed_name: process-parent-group-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.saved_group.name: - dashed_name: process-parent-group-leader-saved-group-name - description: Name of the group. - flat_name: process.parent.group_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.saved_user.domain: - dashed_name: process-parent-group-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.group_leader.saved_user.email: - dashed_name: process-parent-group-leader-saved-user-email - description: User email address. - flat_name: process.parent.group_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.group_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.group_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.group_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.group_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.group_leader.saved_user.entity.id: - dashed_name: process-parent-group-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.group_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.group_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.group_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.group_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.group_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.group_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.group_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.group_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.group_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.group_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.group_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.group_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.group_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.group_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.group_leader.saved_user.full_name: - dashed_name: process-parent-group-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.group_leader.saved_user.group.domain: - dashed_name: process-parent-group-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.saved_user.group.id: - dashed_name: process-parent-group-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.saved_user.group.name: - dashed_name: process-parent-group-leader-saved-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.saved_user.hash: - dashed_name: process-parent-group-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.group_leader.saved_user.id: - dashed_name: process-parent-group-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.group_leader.saved_user.name: - dashed_name: process-parent-group-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.group_leader.saved_user.risk.calculated_level: - dashed_name: process-parent-group-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.group_leader.saved_user.risk.calculated_score: - dashed_name: process-parent-group-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.group_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.group_leader.saved_user.risk.static_level: - dashed_name: process-parent-group-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.group_leader.saved_user.risk.static_score: - dashed_name: process-parent-group-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.group_leader.saved_user.risk.static_score_norm: - dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.group_leader.saved_user.roles: - dashed_name: process-parent-group-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.start: - dashed_name: process-parent-group-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.group_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.parent.group_leader.supplemental_groups.domain: - dashed_name: process-parent-group-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.supplemental_groups.id: - dashed_name: process-parent-group-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.supplemental_groups.name: - dashed_name: process-parent-group-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.parent.group_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.thread.capabilities.effective: - dashed_name: process-parent-group-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.group_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.thread.capabilities.permitted: - dashed_name: process-parent-group-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.group_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.thread.id: - dashed_name: process-parent-group-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.parent.group_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.parent.group_leader.thread.name: - dashed_name: process-parent-group-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.parent.group_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.parent.group_leader.title: - dashed_name: process-parent-group-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.parent.group_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.parent.group_leader.tty: - dashed_name: process-parent-group-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.parent.group_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.parent.group_leader.tty.char_device.major: - dashed_name: process-parent-group-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.parent.group_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.parent.group_leader.tty.char_device.minor: - dashed_name: process-parent-group-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.parent.group_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.parent.group_leader.tty.columns: - dashed_name: process-parent-group-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.parent.group_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.parent.group_leader.tty.rows: - dashed_name: process-parent-group-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.parent.group_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.parent.group_leader.uptime: - dashed_name: process-parent-group-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.parent.group_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.parent.group_leader.user.domain: - dashed_name: process-parent-group-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.group_leader.user.email: - dashed_name: process-parent-group-leader-user-email - description: User email address. - flat_name: process.parent.group_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.group_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.group_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.group_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.group_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.group_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.group_leader.user.entity.id: - dashed_name: process-parent-group-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.group_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.group_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.group_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.group_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.group_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.group_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.group_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.group_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.group_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.group_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.group_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.group_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.group_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.group_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.group_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.group_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.group_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.group_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-group-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.group_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.group_leader.user.full_name: - dashed_name: process-parent-group-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.group_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.group_leader.user.group.domain: - dashed_name: process-parent-group-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.group_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.group_leader.user.group.id: - dashed_name: process-parent-group-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.group_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.group_leader.user.group.name: - dashed_name: process-parent-group-leader-user-group-name - description: Name of the group. - flat_name: process.parent.group_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.group_leader.user.hash: - dashed_name: process-parent-group-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.group_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.group_leader.user.id: - dashed_name: process-parent-group-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.group_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.group_leader.user.name: - dashed_name: process-parent-group-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.group_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.group_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.group_leader.user.risk.calculated_level: - dashed_name: process-parent-group-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.group_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.group_leader.user.risk.calculated_score: - dashed_name: process-parent-group-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.group_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.group_leader.user.risk.calculated_score_norm: - dashed_name: process-parent-group-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.group_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.group_leader.user.risk.static_level: - dashed_name: process-parent-group-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.group_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.group_leader.user.risk.static_score: - dashed_name: process-parent-group-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.group_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.group_leader.user.risk.static_score_norm: - dashed_name: process-parent-group-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.group_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.group_leader.user.roles: - dashed_name: process-parent-group-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.group_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.group_leader.vpid: - dashed_name: process-parent-group-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.parent.group_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.parent.group_leader.working_directory: - dashed_name: process-parent-group-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.parent.group_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.group_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.parent.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-parent-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.parent.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.parent.hash.md5: - dashed_name: process-parent-hash-md5 - description: MD5 hash. - flat_name: process.parent.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.parent.hash.sha1: - dashed_name: process-parent-hash-sha1 - description: SHA1 hash. - flat_name: process.parent.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.parent.hash.sha256: - dashed_name: process-parent-hash-sha256 - description: SHA256 hash. - flat_name: process.parent.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.parent.hash.sha384: - dashed_name: process-parent-hash-sha384 - description: SHA384 hash. - flat_name: process.parent.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.parent.hash.sha512: - dashed_name: process-parent-hash-sha512 - description: SHA512 hash. - flat_name: process.parent.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.parent.hash.ssdeep: - dashed_name: process-parent-hash-ssdeep - description: SSDEEP hash. - flat_name: process.parent.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.parent.hash.tlsh: - dashed_name: process-parent-hash-tlsh - description: TLSH hash. - flat_name: process.parent.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.parent.interactive: - dashed_name: process-parent-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.parent.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.parent.io: - dashed_name: process-parent-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.parent.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.parent.io.bytes_skipped: - dashed_name: process-parent-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.parent.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.parent.io.bytes_skipped.length: - dashed_name: process-parent-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.parent.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.parent.io.bytes_skipped.offset: - dashed_name: process-parent-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.parent.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.parent.io.max_bytes_per_process_exceeded: - dashed_name: process-parent-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.parent.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.parent.io.text: - dashed_name: process-parent-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.parent.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.parent.io.total_bytes_captured: - dashed_name: process-parent-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.parent.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.parent.io.total_bytes_skipped: - dashed_name: process-parent-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.parent.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.parent.io.type: - dashed_name: process-parent-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.parent.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.parent.macho.go_import_hash: - dashed_name: process-parent-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.parent.macho.go_imports: - dashed_name: process-parent-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.parent.macho.go_imports_names_entropy: - dashed_name: process-parent-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.macho.go_imports_names_var_entropy: - dashed_name: process-parent-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.macho.go_stripped: - dashed_name: process-parent-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.macho.import_hash: - dashed_name: process-parent-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.parent.macho.imports: - dashed_name: process-parent-macho-imports - description: List of imported element names and types. - flat_name: process.parent.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.parent.macho.imports_names_entropy: - dashed_name: process-parent-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.macho.imports_names_var_entropy: - dashed_name: process-parent-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.macho.sections: - dashed_name: process-parent-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.parent.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.parent.macho.sections.entropy: - dashed_name: process-parent-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.parent.macho.sections.name: - dashed_name: process-parent-macho-sections-name - description: Mach-O Section List name. - flat_name: process.parent.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.parent.macho.sections.physical_size: - dashed_name: process-parent-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.parent.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.parent.macho.sections.var_entropy: - dashed_name: process-parent-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.macho.sections.virtual_size: - dashed_name: process-parent-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.parent.macho.symhash: - dashed_name: process-parent-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.parent.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.parent.name: - dashed_name: process-parent-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.parent.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.parent.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.parent.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.parent.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-parent-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.parent.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.parent.pe.architecture: - dashed_name: process-parent-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.parent.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.parent.pe.company: - dashed_name: process-parent-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.parent.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.parent.pe.description: - dashed_name: process-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.parent.pe.file_version: - dashed_name: process-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.parent.pe.go_import_hash: - dashed_name: process-parent-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.parent.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.parent.pe.go_imports: - dashed_name: process-parent-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.parent.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.parent.pe.go_imports_names_entropy: - dashed_name: process-parent-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.parent.pe.go_imports_names_var_entropy: - dashed_name: process-parent-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.parent.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.parent.pe.go_stripped: - dashed_name: process-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.parent.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.parent.pe.imphash: - dashed_name: process-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.parent.pe.import_hash: - dashed_name: process-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.parent.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.parent.pe.imports: - dashed_name: process-parent-pe-imports - description: List of imported element names and types. - flat_name: process.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.parent.pe.imports_names_entropy: - dashed_name: process-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.parent.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.parent.pe.imports_names_var_entropy: - dashed_name: process-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.parent.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.parent.pe.original_file_name: - dashed_name: process-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.parent.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.parent.pe.pehash: - dashed_name: process-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.parent.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.parent.pe.product: - dashed_name: process-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.parent.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.parent.pe.sections: - dashed_name: process-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.parent.pe.sections.entropy: - dashed_name: process-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.parent.pe.sections.name: - dashed_name: process-parent-pe-sections-name - description: PE Section List name. - flat_name: process.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.parent.pe.sections.physical_size: - dashed_name: process-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.parent.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.parent.pe.sections.var_entropy: - dashed_name: process-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.parent.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.parent.pe.sections.virtual_size: - dashed_name: process-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.parent.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.parent.pid: - dashed_name: process-parent-pid - description: Process id. - example: 4242 - flat_name: process.parent.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.parent.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-parent-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.parent.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.parent.real_group.domain: - dashed_name: process-parent-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.real_group.id: - dashed_name: process-parent-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.real_group.name: - dashed_name: process-parent-real-group-name - description: Name of the group. - flat_name: process.parent.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.real_user.domain: - dashed_name: process-parent-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.real_user.email: - dashed_name: process-parent-real-user-email - description: User email address. - flat_name: process.parent.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.real_user.entity.id: - dashed_name: process-parent-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.real_user.full_name: - dashed_name: process-parent-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.real_user.group.domain: - dashed_name: process-parent-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.real_user.group.id: - dashed_name: process-parent-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.real_user.group.name: - dashed_name: process-parent-real-user-group-name - description: Name of the group. - flat_name: process.parent.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.real_user.hash: - dashed_name: process-parent-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.real_user.id: - dashed_name: process-parent-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.real_user.name: - dashed_name: process-parent-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.real_user.risk.calculated_level: - dashed_name: process-parent-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.real_user.risk.calculated_score: - dashed_name: process-parent-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.real_user.risk.calculated_score_norm: - dashed_name: process-parent-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.real_user.risk.static_level: - dashed_name: process-parent-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.real_user.risk.static_score: - dashed_name: process-parent-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.real_user.risk.static_score_norm: - dashed_name: process-parent-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.real_user.roles: - dashed_name: process-parent-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.same_as_process: - dashed_name: process-parent-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.parent.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.parent.saved_group.domain: - dashed_name: process-parent-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.saved_group.id: - dashed_name: process-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.saved_group.name: - dashed_name: process-parent-saved-group-name - description: Name of the group. - flat_name: process.parent.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.saved_user.domain: - dashed_name: process-parent-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.saved_user.email: - dashed_name: process-parent-saved-user-email - description: User email address. - flat_name: process.parent.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.saved_user.entity.id: - dashed_name: process-parent-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.saved_user.full_name: - dashed_name: process-parent-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.saved_user.group.domain: - dashed_name: process-parent-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.saved_user.group.id: - dashed_name: process-parent-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.saved_user.group.name: - dashed_name: process-parent-saved-user-group-name - description: Name of the group. - flat_name: process.parent.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.saved_user.hash: - dashed_name: process-parent-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.saved_user.id: - dashed_name: process-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.saved_user.name: - dashed_name: process-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.saved_user.risk.calculated_level: - dashed_name: process-parent-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.saved_user.risk.calculated_score: - dashed_name: process-parent-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.saved_user.risk.calculated_score_norm: - dashed_name: process-parent-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.saved_user.risk.static_level: - dashed_name: process-parent-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.saved_user.risk.static_score: - dashed_name: process-parent-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.saved_user.risk.static_score_norm: - dashed_name: process-parent-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.saved_user.roles: - dashed_name: process-parent-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.start: - dashed_name: process-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.parent.supplemental_groups.domain: - dashed_name: process-parent-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.supplemental_groups.id: - dashed_name: process-parent-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.supplemental_groups.name: - dashed_name: process-parent-supplemental-groups-name - description: Name of the group. - flat_name: process.parent.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.thread.capabilities.effective: - dashed_name: process-parent-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.parent.thread.capabilities.permitted: - dashed_name: process-parent-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.parent.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.parent.thread.id: - dashed_name: process-parent-thread-id - description: Thread ID. - example: 4242 - flat_name: process.parent.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.parent.thread.name: - dashed_name: process-parent-thread-name - description: Thread name. - example: thread-0 - flat_name: process.parent.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.parent.title: - dashed_name: process-parent-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.parent.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.parent.tty: - dashed_name: process-parent-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.parent.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.parent.tty.char_device.major: - dashed_name: process-parent-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.parent.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.parent.tty.char_device.minor: - dashed_name: process-parent-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.parent.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.parent.tty.columns: - dashed_name: process-parent-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.parent.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.parent.tty.rows: - dashed_name: process-parent-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.parent.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.parent.uptime: - dashed_name: process-parent-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.parent.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.parent.user.domain: - dashed_name: process-parent-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.parent.user.email: - dashed_name: process-parent-user-email - description: User email address. - flat_name: process.parent.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.parent.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.parent.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.parent.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.parent.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.parent.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.parent.user.entity.id: - dashed_name: process-parent-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.parent.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.parent.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.parent.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.parent.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.parent.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.parent.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.parent.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.parent.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.parent.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.parent.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.parent.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.parent.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.parent.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.parent.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.parent.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.parent.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.parent.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.parent.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-parent-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.parent.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.parent.user.full_name: - dashed_name: process-parent-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.parent.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.parent.user.group.domain: - dashed_name: process-parent-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.parent.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.parent.user.group.id: - dashed_name: process-parent-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.parent.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.parent.user.group.name: - dashed_name: process-parent-user-group-name - description: Name of the group. - flat_name: process.parent.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.parent.user.hash: - dashed_name: process-parent-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.parent.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.parent.user.id: - dashed_name: process-parent-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.parent.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.parent.user.name: - dashed_name: process-parent-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.parent.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.parent.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.parent.user.risk.calculated_level: - dashed_name: process-parent-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.parent.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.parent.user.risk.calculated_score: - dashed_name: process-parent-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.parent.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.parent.user.risk.calculated_score_norm: - dashed_name: process-parent-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.parent.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.parent.user.risk.static_level: - dashed_name: process-parent-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.parent.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.parent.user.risk.static_score: - dashed_name: process-parent-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.parent.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.parent.user.risk.static_score_norm: - dashed_name: process-parent-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.parent.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.parent.user.roles: - dashed_name: process-parent-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.parent.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.parent.vpid: - dashed_name: process-parent-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.parent.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.parent.working_directory: - dashed_name: process-parent-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.parent.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.parent.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.pe.architecture: - dashed_name: process-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.pe.company: - dashed_name: process-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.pe.description: - dashed_name: process-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.pe.file_version: - dashed_name: process-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.pe.go_import_hash: - dashed_name: process-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.pe.go_imports: - dashed_name: process-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.pe.go_imports_names_entropy: - dashed_name: process-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.pe.go_imports_names_var_entropy: - dashed_name: process-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.pe.go_stripped: - dashed_name: process-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.pe.imphash: - dashed_name: process-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.pe.import_hash: - dashed_name: process-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.pe.imports: - dashed_name: process-pe-imports - description: List of imported element names and types. - flat_name: process.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.pe.imports_names_entropy: - dashed_name: process-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.pe.imports_names_var_entropy: - dashed_name: process-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.pe.original_file_name: - dashed_name: process-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.pe.pehash: - dashed_name: process-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.pe.product: - dashed_name: process-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.pe.sections: - dashed_name: process-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.pe.sections.entropy: - dashed_name: process-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.pe.sections.name: - dashed_name: process-pe-sections-name - description: PE Section List name. - flat_name: process.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.pe.sections.physical_size: - dashed_name: process-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.pe.sections.var_entropy: - dashed_name: process-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.pe.sections.virtual_size: - dashed_name: process-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.pid: - dashed_name: process-pid - description: Process id. - example: 4242 - flat_name: process.pid - format: string - level: core - name: pid - normalize: [] - otel: - - relation: match - short: Process id. - type: long - process.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.platform_binary - level: extended - name: platform_binary - normalize: [] - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.previous.args: - dashed_name: process-previous-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.previous.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.previous.args_count: - dashed_name: process-previous-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.previous.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.previous.attested_groups.domain: - dashed_name: process-previous-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.attested_groups.id: - dashed_name: process-previous-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.attested_groups.name: - dashed_name: process-previous-attested-groups-name - description: Name of the group. - flat_name: process.previous.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.attested_user.domain: - dashed_name: process-previous-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.previous.attested_user.email: - dashed_name: process-previous-attested-user-email - description: User email address. - flat_name: process.previous.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.previous.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.previous.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.previous.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.previous.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.previous.attested_user.entity.id: - dashed_name: process-previous-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.previous.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.previous.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.previous.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.previous.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.previous.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.previous.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.previous.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.previous.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.previous.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.previous.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.previous.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.previous.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.previous.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.previous.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.previous.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.previous.attested_user.full_name: - dashed_name: process-previous-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.previous.attested_user.group.domain: - dashed_name: process-previous-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.attested_user.group.id: - dashed_name: process-previous-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.attested_user.group.name: - dashed_name: process-previous-attested-user-group-name - description: Name of the group. - flat_name: process.previous.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.attested_user.hash: - dashed_name: process-previous-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.previous.attested_user.id: - dashed_name: process-previous-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.previous.attested_user.name: - dashed_name: process-previous-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.previous.attested_user.risk.calculated_level: - dashed_name: process-previous-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.previous.attested_user.risk.calculated_score: - dashed_name: process-previous-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.previous.attested_user.risk.calculated_score_norm: - dashed_name: process-previous-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.previous.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.previous.attested_user.risk.static_level: - dashed_name: process-previous-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.previous.attested_user.risk.static_score: - dashed_name: process-previous-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.previous.attested_user.risk.static_score_norm: - dashed_name: process-previous-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.previous.attested_user.roles: - dashed_name: process-previous-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.previous.code_signature.digest_algorithm: - dashed_name: process-previous-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.previous.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.previous.code_signature.exists: - dashed_name: process-previous-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.previous.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.previous.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-previous-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.previous.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.previous.code_signature.signing_id: - dashed_name: process-previous-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.previous.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.previous.code_signature.status: - dashed_name: process-previous-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.previous.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.previous.code_signature.subject_name: - dashed_name: process-previous-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.previous.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.previous.code_signature.team_id: - dashed_name: process-previous-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.previous.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.previous.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-previous-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.previous.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.previous.code_signature.timestamp: - dashed_name: process-previous-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.previous.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.previous.code_signature.trusted: - dashed_name: process-previous-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.previous.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.previous.code_signature.valid: - dashed_name: process-previous-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.previous.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.previous.command_line: - dashed_name: process-previous-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.previous.command_line - level: extended - multi_fields: - - flat_name: process.previous.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.previous.elf.architecture: - dashed_name: process-previous-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.previous.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.previous.elf.byte_order: - dashed_name: process-previous-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.previous.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.previous.elf.cpu_type: - dashed_name: process-previous-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.previous.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.previous.elf.creation_date: - dashed_name: process-previous-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.previous.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.previous.elf.exports: - dashed_name: process-previous-elf-exports - description: List of exported element names and types. - flat_name: process.previous.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.previous.elf.go_import_hash: - dashed_name: process-previous-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.previous.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.previous.elf.go_imports: - dashed_name: process-previous-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.previous.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.previous.elf.go_imports_names_entropy: - dashed_name: process-previous-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.previous.elf.go_imports_names_var_entropy: - dashed_name: process-previous-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.previous.elf.go_stripped: - dashed_name: process-previous-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.previous.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.previous.elf.header.abi_version: - dashed_name: process-previous-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.previous.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.previous.elf.header.class: - dashed_name: process-previous-elf-header-class - description: Header class of the ELF file. - flat_name: process.previous.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.previous.elf.header.data: - dashed_name: process-previous-elf-header-data - description: Data table of the ELF header. - flat_name: process.previous.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.previous.elf.header.entrypoint: - dashed_name: process-previous-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.previous.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.previous.elf.header.object_version: - dashed_name: process-previous-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.previous.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.previous.elf.header.os_abi: - dashed_name: process-previous-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.previous.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.previous.elf.header.type: - dashed_name: process-previous-elf-header-type - description: Header type of the ELF file. - flat_name: process.previous.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.previous.elf.header.version: - dashed_name: process-previous-elf-header-version - description: Version of the ELF header. - flat_name: process.previous.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.previous.elf.import_hash: - dashed_name: process-previous-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.previous.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.previous.elf.imports: - dashed_name: process-previous-elf-imports - description: List of imported element names and types. - flat_name: process.previous.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.previous.elf.imports_names_entropy: - dashed_name: process-previous-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.previous.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.previous.elf.imports_names_var_entropy: - dashed_name: process-previous-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.previous.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.previous.elf.sections: - dashed_name: process-previous-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.previous.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.previous.elf.sections.chi2: - dashed_name: process-previous-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.previous.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.previous.elf.sections.entropy: - dashed_name: process-previous-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.previous.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.previous.elf.sections.flags: - dashed_name: process-previous-elf-sections-flags - description: ELF Section List flags. - flat_name: process.previous.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.previous.elf.sections.name: - dashed_name: process-previous-elf-sections-name - description: ELF Section List name. - flat_name: process.previous.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.previous.elf.sections.physical_offset: - dashed_name: process-previous-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.previous.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.previous.elf.sections.physical_size: - dashed_name: process-previous-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.previous.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.previous.elf.sections.type: - dashed_name: process-previous-elf-sections-type - description: ELF Section List type. - flat_name: process.previous.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.previous.elf.sections.var_entropy: - dashed_name: process-previous-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.previous.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.previous.elf.sections.virtual_address: - dashed_name: process-previous-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.previous.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.previous.elf.sections.virtual_size: - dashed_name: process-previous-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.previous.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.previous.elf.segments: - dashed_name: process-previous-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.previous.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.previous.elf.segments.sections: - dashed_name: process-previous-elf-segments-sections - description: ELF object segment sections. - flat_name: process.previous.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.previous.elf.segments.type: - dashed_name: process-previous-elf-segments-type - description: ELF object segment type. - flat_name: process.previous.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.previous.elf.shared_libraries: - dashed_name: process-previous-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.previous.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.previous.elf.telfhash: - dashed_name: process-previous-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.previous.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.previous.end: - dashed_name: process-previous-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.previous.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.previous.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-previous-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.previous.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.previous.entity_id: - dashed_name: process-previous-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.previous.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.previous.entry_meta.source.address: - dashed_name: process-previous-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.previous.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.previous.entry_meta.source.as.number: - dashed_name: process-previous-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.previous.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.previous.entry_meta.source.as.organization.name: - dashed_name: process-previous-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.previous.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.previous.entry_meta.source.bytes: - dashed_name: process-previous-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.previous.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.previous.entry_meta.source.domain: - dashed_name: process-previous-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.previous.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.previous.entry_meta.source.geo.city_name: - dashed_name: process-previous-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.previous.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.previous.entry_meta.source.geo.continent_code: - dashed_name: process-previous-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.previous.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.previous.entry_meta.source.geo.continent_name: - dashed_name: process-previous-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.previous.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.previous.entry_meta.source.geo.country_iso_code: - dashed_name: process-previous-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.previous.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.previous.entry_meta.source.geo.country_name: - dashed_name: process-previous-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.previous.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.previous.entry_meta.source.geo.location: - dashed_name: process-previous-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.previous.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.previous.entry_meta.source.geo.name: - dashed_name: process-previous-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.previous.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.previous.entry_meta.source.geo.postal_code: - dashed_name: process-previous-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.previous.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.previous.entry_meta.source.geo.region_iso_code: - dashed_name: process-previous-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.previous.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.previous.entry_meta.source.geo.region_name: - dashed_name: process-previous-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.previous.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.previous.entry_meta.source.geo.timezone: - dashed_name: process-previous-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.previous.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.previous.entry_meta.source.ip: - dashed_name: process-previous-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.previous.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.previous.entry_meta.source.mac: - dashed_name: process-previous-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.previous.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.previous.entry_meta.source.nat.ip: - dashed_name: process-previous-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.previous.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.previous.entry_meta.source.nat.port: - dashed_name: process-previous-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.previous.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.previous.entry_meta.source.packets: - dashed_name: process-previous-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.previous.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.previous.entry_meta.source.port: - dashed_name: process-previous-entry-meta-source-port - description: Port of the source. - flat_name: process.previous.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.previous.entry_meta.source.registered_domain: - dashed_name: process-previous-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.previous.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.previous.entry_meta.source.subdomain: - dashed_name: process-previous-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.previous.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.previous.entry_meta.source.top_level_domain: - dashed_name: process-previous-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.previous.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.previous.entry_meta.type: - dashed_name: process-previous-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.previous.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.previous.env_vars: - dashed_name: process-previous-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.previous.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.previous.executable: - dashed_name: process-previous-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.previous.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.previous.exit_code: - dashed_name: process-previous-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.previous.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.previous.group.domain: - dashed_name: process-previous-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.group.id: - dashed_name: process-previous-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.group.name: - dashed_name: process-previous-group-name - description: Name of the group. - flat_name: process.previous.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-previous-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.previous.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.previous.hash.md5: - dashed_name: process-previous-hash-md5 - description: MD5 hash. - flat_name: process.previous.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.previous.hash.sha1: - dashed_name: process-previous-hash-sha1 - description: SHA1 hash. - flat_name: process.previous.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.previous.hash.sha256: - dashed_name: process-previous-hash-sha256 - description: SHA256 hash. - flat_name: process.previous.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.previous.hash.sha384: - dashed_name: process-previous-hash-sha384 - description: SHA384 hash. - flat_name: process.previous.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.previous.hash.sha512: - dashed_name: process-previous-hash-sha512 - description: SHA512 hash. - flat_name: process.previous.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.previous.hash.ssdeep: - dashed_name: process-previous-hash-ssdeep - description: SSDEEP hash. - flat_name: process.previous.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.previous.hash.tlsh: - dashed_name: process-previous-hash-tlsh - description: TLSH hash. - flat_name: process.previous.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.previous.interactive: - dashed_name: process-previous-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.previous.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.previous.io: - dashed_name: process-previous-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.previous.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.previous.io.bytes_skipped: - dashed_name: process-previous-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.previous.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.previous.io.bytes_skipped.length: - dashed_name: process-previous-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.previous.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.previous.io.bytes_skipped.offset: - dashed_name: process-previous-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.previous.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.previous.io.max_bytes_per_process_exceeded: - dashed_name: process-previous-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.previous.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.previous.io.text: - dashed_name: process-previous-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.previous.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.previous.io.total_bytes_captured: - dashed_name: process-previous-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.previous.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.previous.io.total_bytes_skipped: - dashed_name: process-previous-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.previous.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.previous.io.type: - dashed_name: process-previous-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.previous.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.previous.macho.go_import_hash: - dashed_name: process-previous-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.previous.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.previous.macho.go_imports: - dashed_name: process-previous-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.previous.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.previous.macho.go_imports_names_entropy: - dashed_name: process-previous-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.previous.macho.go_imports_names_var_entropy: - dashed_name: process-previous-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.previous.macho.go_stripped: - dashed_name: process-previous-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.previous.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.previous.macho.import_hash: - dashed_name: process-previous-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.previous.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.previous.macho.imports: - dashed_name: process-previous-macho-imports - description: List of imported element names and types. - flat_name: process.previous.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.previous.macho.imports_names_entropy: - dashed_name: process-previous-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.previous.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.previous.macho.imports_names_var_entropy: - dashed_name: process-previous-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.previous.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.previous.macho.sections: - dashed_name: process-previous-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.previous.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.previous.macho.sections.entropy: - dashed_name: process-previous-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.previous.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.previous.macho.sections.name: - dashed_name: process-previous-macho-sections-name - description: Mach-O Section List name. - flat_name: process.previous.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.previous.macho.sections.physical_size: - dashed_name: process-previous-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.previous.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.previous.macho.sections.var_entropy: - dashed_name: process-previous-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.previous.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.previous.macho.sections.virtual_size: - dashed_name: process-previous-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.previous.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.previous.macho.symhash: - dashed_name: process-previous-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.previous.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.previous.name: - dashed_name: process-previous-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.previous.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.previous.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-previous-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.previous.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.previous.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-previous-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.previous.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.previous.pe.architecture: - dashed_name: process-previous-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.previous.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.previous.pe.company: - dashed_name: process-previous-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.previous.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.previous.pe.description: - dashed_name: process-previous-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.previous.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.previous.pe.file_version: - dashed_name: process-previous-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.previous.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.previous.pe.go_import_hash: - dashed_name: process-previous-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.previous.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.previous.pe.go_imports: - dashed_name: process-previous-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.previous.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.previous.pe.go_imports_names_entropy: - dashed_name: process-previous-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.previous.pe.go_imports_names_var_entropy: - dashed_name: process-previous-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.previous.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.previous.pe.go_stripped: - dashed_name: process-previous-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.previous.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.previous.pe.imphash: - dashed_name: process-previous-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.previous.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.previous.pe.import_hash: - dashed_name: process-previous-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.previous.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.previous.pe.imports: - dashed_name: process-previous-pe-imports - description: List of imported element names and types. - flat_name: process.previous.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.previous.pe.imports_names_entropy: - dashed_name: process-previous-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.previous.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.previous.pe.imports_names_var_entropy: - dashed_name: process-previous-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.previous.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.previous.pe.original_file_name: - dashed_name: process-previous-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.previous.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.previous.pe.pehash: - dashed_name: process-previous-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.previous.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.previous.pe.product: - dashed_name: process-previous-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.previous.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.previous.pe.sections: - dashed_name: process-previous-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.previous.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.previous.pe.sections.entropy: - dashed_name: process-previous-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.previous.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.previous.pe.sections.name: - dashed_name: process-previous-pe-sections-name - description: PE Section List name. - flat_name: process.previous.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.previous.pe.sections.physical_size: - dashed_name: process-previous-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.previous.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.previous.pe.sections.var_entropy: - dashed_name: process-previous-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.previous.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.previous.pe.sections.virtual_size: - dashed_name: process-previous-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.previous.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.previous.pid: - dashed_name: process-previous-pid - description: Process id. - example: 4242 - flat_name: process.previous.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.previous.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-previous-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.previous.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.previous.real_group.domain: - dashed_name: process-previous-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.real_group.id: - dashed_name: process-previous-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.real_group.name: - dashed_name: process-previous-real-group-name - description: Name of the group. - flat_name: process.previous.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.real_user.domain: - dashed_name: process-previous-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.previous.real_user.email: - dashed_name: process-previous-real-user-email - description: User email address. - flat_name: process.previous.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.previous.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.previous.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.previous.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.previous.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.previous.real_user.entity.id: - dashed_name: process-previous-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.previous.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.previous.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.previous.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.previous.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.previous.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.previous.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.previous.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.previous.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.previous.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.previous.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.previous.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.previous.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.previous.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.previous.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.previous.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.previous.real_user.full_name: - dashed_name: process-previous-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.previous.real_user.group.domain: - dashed_name: process-previous-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.real_user.group.id: - dashed_name: process-previous-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.real_user.group.name: - dashed_name: process-previous-real-user-group-name - description: Name of the group. - flat_name: process.previous.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.real_user.hash: - dashed_name: process-previous-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.previous.real_user.id: - dashed_name: process-previous-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.previous.real_user.name: - dashed_name: process-previous-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.previous.real_user.risk.calculated_level: - dashed_name: process-previous-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.previous.real_user.risk.calculated_score: - dashed_name: process-previous-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.previous.real_user.risk.calculated_score_norm: - dashed_name: process-previous-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.previous.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.previous.real_user.risk.static_level: - dashed_name: process-previous-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.previous.real_user.risk.static_score: - dashed_name: process-previous-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.previous.real_user.risk.static_score_norm: - dashed_name: process-previous-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.previous.real_user.roles: - dashed_name: process-previous-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.previous.same_as_process: - dashed_name: process-previous-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.previous.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.previous.saved_group.domain: - dashed_name: process-previous-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.saved_group.id: - dashed_name: process-previous-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.saved_group.name: - dashed_name: process-previous-saved-group-name - description: Name of the group. - flat_name: process.previous.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.saved_user.domain: - dashed_name: process-previous-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.previous.saved_user.email: - dashed_name: process-previous-saved-user-email - description: User email address. - flat_name: process.previous.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.previous.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.previous.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.previous.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.previous.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.previous.saved_user.entity.id: - dashed_name: process-previous-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.previous.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.previous.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.previous.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.previous.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.previous.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.previous.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.previous.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.previous.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.previous.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.previous.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.previous.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.previous.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.previous.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.previous.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.previous.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.previous.saved_user.full_name: - dashed_name: process-previous-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.previous.saved_user.group.domain: - dashed_name: process-previous-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.saved_user.group.id: - dashed_name: process-previous-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.saved_user.group.name: - dashed_name: process-previous-saved-user-group-name - description: Name of the group. - flat_name: process.previous.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.saved_user.hash: - dashed_name: process-previous-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.previous.saved_user.id: - dashed_name: process-previous-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.previous.saved_user.name: - dashed_name: process-previous-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.previous.saved_user.risk.calculated_level: - dashed_name: process-previous-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.previous.saved_user.risk.calculated_score: - dashed_name: process-previous-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.previous.saved_user.risk.calculated_score_norm: - dashed_name: process-previous-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.previous.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.previous.saved_user.risk.static_level: - dashed_name: process-previous-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.previous.saved_user.risk.static_score: - dashed_name: process-previous-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.previous.saved_user.risk.static_score_norm: - dashed_name: process-previous-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.previous.saved_user.roles: - dashed_name: process-previous-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.previous.start: - dashed_name: process-previous-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.previous.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.previous.supplemental_groups.domain: - dashed_name: process-previous-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.supplemental_groups.id: - dashed_name: process-previous-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.supplemental_groups.name: - dashed_name: process-previous-supplemental-groups-name - description: Name of the group. - flat_name: process.previous.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.thread.capabilities.effective: - dashed_name: process-previous-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.previous.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.previous.thread.capabilities.permitted: - dashed_name: process-previous-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.previous.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.previous.thread.id: - dashed_name: process-previous-thread-id - description: Thread ID. - example: 4242 - flat_name: process.previous.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.previous.thread.name: - dashed_name: process-previous-thread-name - description: Thread name. - example: thread-0 - flat_name: process.previous.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.previous.title: - dashed_name: process-previous-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.previous.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.previous.tty: - dashed_name: process-previous-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.previous.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.previous.tty.char_device.major: - dashed_name: process-previous-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.previous.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.previous.tty.char_device.minor: - dashed_name: process-previous-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.previous.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.previous.tty.columns: - dashed_name: process-previous-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.previous.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.previous.tty.rows: - dashed_name: process-previous-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.previous.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.previous.uptime: - dashed_name: process-previous-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.previous.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.previous.user.domain: - dashed_name: process-previous-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.previous.user.email: - dashed_name: process-previous-user-email - description: User email address. - flat_name: process.previous.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.previous.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.previous.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.previous.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.previous.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.previous.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.previous.user.entity.id: - dashed_name: process-previous-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.previous.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.previous.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.previous.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.previous.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.previous.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.previous.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.previous.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.previous.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.previous.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.previous.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.previous.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.previous.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.previous.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.previous.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.previous.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.previous.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.previous.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.previous.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-previous-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.previous.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.previous.user.full_name: - dashed_name: process-previous-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.previous.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.previous.user.group.domain: - dashed_name: process-previous-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.previous.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.previous.user.group.id: - dashed_name: process-previous-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.previous.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.previous.user.group.name: - dashed_name: process-previous-user-group-name - description: Name of the group. - flat_name: process.previous.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.previous.user.hash: - dashed_name: process-previous-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.previous.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.previous.user.id: - dashed_name: process-previous-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.previous.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.previous.user.name: - dashed_name: process-previous-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.previous.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.previous.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.previous.user.risk.calculated_level: - dashed_name: process-previous-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.previous.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.previous.user.risk.calculated_score: - dashed_name: process-previous-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.previous.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.previous.user.risk.calculated_score_norm: - dashed_name: process-previous-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.previous.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.previous.user.risk.static_level: - dashed_name: process-previous-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.previous.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.previous.user.risk.static_score: - dashed_name: process-previous-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.previous.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.previous.user.risk.static_score_norm: - dashed_name: process-previous-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.previous.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.previous.user.roles: - dashed_name: process-previous-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.previous.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.previous.vpid: - dashed_name: process-previous-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.previous.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.previous.working_directory: - dashed_name: process-previous-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.previous.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.previous.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.real_group.domain: - dashed_name: process-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.real_group.id: - dashed_name: process-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.real_group.name: - dashed_name: process-real-group-name - description: Name of the group. - flat_name: process.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.real_user.domain: - dashed_name: process-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.real_user.email: - dashed_name: process-real-user-email - description: User email address. - flat_name: process.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.real_user.entity.id: - dashed_name: process-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.real_user.full_name: - dashed_name: process-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.real_user.group.domain: - dashed_name: process-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.real_user.group.id: - dashed_name: process-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.real_user.group.name: - dashed_name: process-real-user-group-name - description: Name of the group. - flat_name: process.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.real_user.hash: - dashed_name: process-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.real_user.id: - dashed_name: process-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Unique identifier of the user. - type: keyword - process.real_user.name: - dashed_name: process-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Short name or login of the user. - type: keyword - process.real_user.risk.calculated_level: - dashed_name: process-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.real_user.risk.calculated_score: - dashed_name: process-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.real_user.risk.calculated_score_norm: - dashed_name: process-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.real_user.risk.static_level: - dashed_name: process-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.real_user.risk.static_score: - dashed_name: process-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.real_user.risk.static_score_norm: - dashed_name: process-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.real_user.roles: - dashed_name: process-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.responsible.args: - dashed_name: process-responsible-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.responsible.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.responsible.args_count: - dashed_name: process-responsible-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.responsible.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.responsible.attested_groups.domain: - dashed_name: process-responsible-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.attested_groups.id: - dashed_name: process-responsible-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.attested_groups.name: - dashed_name: process-responsible-attested-groups-name - description: Name of the group. - flat_name: process.responsible.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.attested_user.domain: - dashed_name: process-responsible-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.responsible.attested_user.email: - dashed_name: process-responsible-attested-user-email - description: User email address. - flat_name: process.responsible.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.responsible.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.responsible.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.responsible.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.responsible.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.responsible.attested_user.entity.id: - dashed_name: process-responsible-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.responsible.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.responsible.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.responsible.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.responsible.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.responsible.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.responsible.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.responsible.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.responsible.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.responsible.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.responsible.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.responsible.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.responsible.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.responsible.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.responsible.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.responsible.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.responsible.attested_user.full_name: - dashed_name: process-responsible-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.responsible.attested_user.group.domain: - dashed_name: process-responsible-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.attested_user.group.id: - dashed_name: process-responsible-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.attested_user.group.name: - dashed_name: process-responsible-attested-user-group-name - description: Name of the group. - flat_name: process.responsible.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.attested_user.hash: - dashed_name: process-responsible-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.responsible.attested_user.id: - dashed_name: process-responsible-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.responsible.attested_user.name: - dashed_name: process-responsible-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.responsible.attested_user.risk.calculated_level: - dashed_name: process-responsible-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.responsible.attested_user.risk.calculated_score: - dashed_name: process-responsible-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.responsible.attested_user.risk.calculated_score_norm: - dashed_name: process-responsible-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.responsible.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.responsible.attested_user.risk.static_level: - dashed_name: process-responsible-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.responsible.attested_user.risk.static_score: - dashed_name: process-responsible-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.responsible.attested_user.risk.static_score_norm: - dashed_name: process-responsible-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.responsible.attested_user.roles: - dashed_name: process-responsible-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.responsible.code_signature.digest_algorithm: - dashed_name: process-responsible-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.responsible.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.responsible.code_signature.exists: - dashed_name: process-responsible-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.responsible.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.responsible.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-responsible-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.responsible.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.responsible.code_signature.signing_id: - dashed_name: process-responsible-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.responsible.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.responsible.code_signature.status: - dashed_name: process-responsible-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.responsible.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.responsible.code_signature.subject_name: - dashed_name: process-responsible-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.responsible.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.responsible.code_signature.team_id: - dashed_name: process-responsible-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.responsible.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.responsible.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-responsible-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.responsible.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.responsible.code_signature.timestamp: - dashed_name: process-responsible-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.responsible.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.responsible.code_signature.trusted: - dashed_name: process-responsible-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.responsible.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.responsible.code_signature.valid: - dashed_name: process-responsible-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.responsible.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.responsible.command_line: - dashed_name: process-responsible-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.responsible.command_line - level: extended - multi_fields: - - flat_name: process.responsible.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.responsible.elf.architecture: - dashed_name: process-responsible-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.responsible.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.responsible.elf.byte_order: - dashed_name: process-responsible-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.responsible.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.responsible.elf.cpu_type: - dashed_name: process-responsible-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.responsible.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.responsible.elf.creation_date: - dashed_name: process-responsible-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.responsible.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.responsible.elf.exports: - dashed_name: process-responsible-elf-exports - description: List of exported element names and types. - flat_name: process.responsible.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.responsible.elf.go_import_hash: - dashed_name: process-responsible-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.responsible.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.responsible.elf.go_imports: - dashed_name: process-responsible-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.responsible.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.responsible.elf.go_imports_names_entropy: - dashed_name: process-responsible-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.responsible.elf.go_imports_names_var_entropy: - dashed_name: process-responsible-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.responsible.elf.go_stripped: - dashed_name: process-responsible-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.responsible.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.responsible.elf.header.abi_version: - dashed_name: process-responsible-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.responsible.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.responsible.elf.header.class: - dashed_name: process-responsible-elf-header-class - description: Header class of the ELF file. - flat_name: process.responsible.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.responsible.elf.header.data: - dashed_name: process-responsible-elf-header-data - description: Data table of the ELF header. - flat_name: process.responsible.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.responsible.elf.header.entrypoint: - dashed_name: process-responsible-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.responsible.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.responsible.elf.header.object_version: - dashed_name: process-responsible-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.responsible.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.responsible.elf.header.os_abi: - dashed_name: process-responsible-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.responsible.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.responsible.elf.header.type: - dashed_name: process-responsible-elf-header-type - description: Header type of the ELF file. - flat_name: process.responsible.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.responsible.elf.header.version: - dashed_name: process-responsible-elf-header-version - description: Version of the ELF header. - flat_name: process.responsible.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.responsible.elf.import_hash: - dashed_name: process-responsible-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.responsible.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.responsible.elf.imports: - dashed_name: process-responsible-elf-imports - description: List of imported element names and types. - flat_name: process.responsible.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.responsible.elf.imports_names_entropy: - dashed_name: process-responsible-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.responsible.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.responsible.elf.imports_names_var_entropy: - dashed_name: process-responsible-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.responsible.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.responsible.elf.sections: - dashed_name: process-responsible-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.responsible.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.responsible.elf.sections.chi2: - dashed_name: process-responsible-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.responsible.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.responsible.elf.sections.entropy: - dashed_name: process-responsible-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.responsible.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.responsible.elf.sections.flags: - dashed_name: process-responsible-elf-sections-flags - description: ELF Section List flags. - flat_name: process.responsible.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.responsible.elf.sections.name: - dashed_name: process-responsible-elf-sections-name - description: ELF Section List name. - flat_name: process.responsible.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.responsible.elf.sections.physical_offset: - dashed_name: process-responsible-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.responsible.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.responsible.elf.sections.physical_size: - dashed_name: process-responsible-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.responsible.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.responsible.elf.sections.type: - dashed_name: process-responsible-elf-sections-type - description: ELF Section List type. - flat_name: process.responsible.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.responsible.elf.sections.var_entropy: - dashed_name: process-responsible-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.responsible.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.responsible.elf.sections.virtual_address: - dashed_name: process-responsible-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.responsible.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.responsible.elf.sections.virtual_size: - dashed_name: process-responsible-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.responsible.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.responsible.elf.segments: - dashed_name: process-responsible-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.responsible.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.responsible.elf.segments.sections: - dashed_name: process-responsible-elf-segments-sections - description: ELF object segment sections. - flat_name: process.responsible.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.responsible.elf.segments.type: - dashed_name: process-responsible-elf-segments-type - description: ELF object segment type. - flat_name: process.responsible.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.responsible.elf.shared_libraries: - dashed_name: process-responsible-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.responsible.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.responsible.elf.telfhash: - dashed_name: process-responsible-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.responsible.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.responsible.end: - dashed_name: process-responsible-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.responsible.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.responsible.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-responsible-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.responsible.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.responsible.entity_id: - dashed_name: process-responsible-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.responsible.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.responsible.entry_meta.source.address: - dashed_name: process-responsible-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.responsible.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.responsible.entry_meta.source.as.number: - dashed_name: process-responsible-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.responsible.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.responsible.entry_meta.source.as.organization.name: - dashed_name: process-responsible-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.responsible.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.responsible.entry_meta.source.bytes: - dashed_name: process-responsible-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.responsible.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.responsible.entry_meta.source.domain: - dashed_name: process-responsible-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.responsible.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.responsible.entry_meta.source.geo.city_name: - dashed_name: process-responsible-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.responsible.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.responsible.entry_meta.source.geo.continent_code: - dashed_name: process-responsible-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.responsible.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.responsible.entry_meta.source.geo.continent_name: - dashed_name: process-responsible-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.responsible.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.responsible.entry_meta.source.geo.country_iso_code: - dashed_name: process-responsible-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.responsible.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.responsible.entry_meta.source.geo.country_name: - dashed_name: process-responsible-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.responsible.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.responsible.entry_meta.source.geo.location: - dashed_name: process-responsible-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.responsible.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.responsible.entry_meta.source.geo.name: - dashed_name: process-responsible-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.responsible.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.responsible.entry_meta.source.geo.postal_code: - dashed_name: process-responsible-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.responsible.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.responsible.entry_meta.source.geo.region_iso_code: - dashed_name: process-responsible-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.responsible.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.responsible.entry_meta.source.geo.region_name: - dashed_name: process-responsible-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.responsible.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.responsible.entry_meta.source.geo.timezone: - dashed_name: process-responsible-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.responsible.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.responsible.entry_meta.source.ip: - dashed_name: process-responsible-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.responsible.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.responsible.entry_meta.source.mac: - dashed_name: process-responsible-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.responsible.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.responsible.entry_meta.source.nat.ip: - dashed_name: process-responsible-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.responsible.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.responsible.entry_meta.source.nat.port: - dashed_name: process-responsible-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.responsible.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.responsible.entry_meta.source.packets: - dashed_name: process-responsible-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.responsible.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.responsible.entry_meta.source.port: - dashed_name: process-responsible-entry-meta-source-port - description: Port of the source. - flat_name: process.responsible.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.responsible.entry_meta.source.registered_domain: - dashed_name: process-responsible-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.responsible.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.responsible.entry_meta.source.subdomain: - dashed_name: process-responsible-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.responsible.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.responsible.entry_meta.source.top_level_domain: - dashed_name: process-responsible-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.responsible.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.responsible.entry_meta.type: - dashed_name: process-responsible-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.responsible.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.responsible.env_vars: - dashed_name: process-responsible-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.responsible.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.responsible.executable: - dashed_name: process-responsible-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.responsible.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.responsible.exit_code: - dashed_name: process-responsible-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.responsible.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.responsible.group.domain: - dashed_name: process-responsible-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.group.id: - dashed_name: process-responsible-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.group.name: - dashed_name: process-responsible-group-name - description: Name of the group. - flat_name: process.responsible.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-responsible-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.responsible.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.responsible.hash.md5: - dashed_name: process-responsible-hash-md5 - description: MD5 hash. - flat_name: process.responsible.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.responsible.hash.sha1: - dashed_name: process-responsible-hash-sha1 - description: SHA1 hash. - flat_name: process.responsible.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.responsible.hash.sha256: - dashed_name: process-responsible-hash-sha256 - description: SHA256 hash. - flat_name: process.responsible.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.responsible.hash.sha384: - dashed_name: process-responsible-hash-sha384 - description: SHA384 hash. - flat_name: process.responsible.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.responsible.hash.sha512: - dashed_name: process-responsible-hash-sha512 - description: SHA512 hash. - flat_name: process.responsible.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.responsible.hash.ssdeep: - dashed_name: process-responsible-hash-ssdeep - description: SSDEEP hash. - flat_name: process.responsible.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.responsible.hash.tlsh: - dashed_name: process-responsible-hash-tlsh - description: TLSH hash. - flat_name: process.responsible.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.responsible.interactive: - dashed_name: process-responsible-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.responsible.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.responsible.io: - dashed_name: process-responsible-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.responsible.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.responsible.io.bytes_skipped: - dashed_name: process-responsible-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.responsible.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.responsible.io.bytes_skipped.length: - dashed_name: process-responsible-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.responsible.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.responsible.io.bytes_skipped.offset: - dashed_name: process-responsible-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.responsible.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.responsible.io.max_bytes_per_process_exceeded: - dashed_name: process-responsible-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.responsible.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.responsible.io.text: - dashed_name: process-responsible-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.responsible.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.responsible.io.total_bytes_captured: - dashed_name: process-responsible-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.responsible.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.responsible.io.total_bytes_skipped: - dashed_name: process-responsible-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.responsible.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.responsible.io.type: - dashed_name: process-responsible-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.responsible.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.responsible.macho.go_import_hash: - dashed_name: process-responsible-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.responsible.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.responsible.macho.go_imports: - dashed_name: process-responsible-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.responsible.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.responsible.macho.go_imports_names_entropy: - dashed_name: process-responsible-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.responsible.macho.go_imports_names_var_entropy: - dashed_name: process-responsible-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.responsible.macho.go_stripped: - dashed_name: process-responsible-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.responsible.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.responsible.macho.import_hash: - dashed_name: process-responsible-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.responsible.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.responsible.macho.imports: - dashed_name: process-responsible-macho-imports - description: List of imported element names and types. - flat_name: process.responsible.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.responsible.macho.imports_names_entropy: - dashed_name: process-responsible-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.responsible.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.responsible.macho.imports_names_var_entropy: - dashed_name: process-responsible-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.responsible.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.responsible.macho.sections: - dashed_name: process-responsible-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.responsible.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.responsible.macho.sections.entropy: - dashed_name: process-responsible-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.responsible.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.responsible.macho.sections.name: - dashed_name: process-responsible-macho-sections-name - description: Mach-O Section List name. - flat_name: process.responsible.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.responsible.macho.sections.physical_size: - dashed_name: process-responsible-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.responsible.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.responsible.macho.sections.var_entropy: - dashed_name: process-responsible-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.responsible.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.responsible.macho.sections.virtual_size: - dashed_name: process-responsible-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.responsible.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.responsible.macho.symhash: - dashed_name: process-responsible-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.responsible.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.responsible.name: - dashed_name: process-responsible-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.responsible.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.responsible.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-responsible-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.responsible.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.responsible.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-responsible-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.responsible.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.responsible.pe.architecture: - dashed_name: process-responsible-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.responsible.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.responsible.pe.company: - dashed_name: process-responsible-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.responsible.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.responsible.pe.description: - dashed_name: process-responsible-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.responsible.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.responsible.pe.file_version: - dashed_name: process-responsible-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.responsible.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.responsible.pe.go_import_hash: - dashed_name: process-responsible-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.responsible.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.responsible.pe.go_imports: - dashed_name: process-responsible-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.responsible.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.responsible.pe.go_imports_names_entropy: - dashed_name: process-responsible-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.responsible.pe.go_imports_names_var_entropy: - dashed_name: process-responsible-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.responsible.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.responsible.pe.go_stripped: - dashed_name: process-responsible-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.responsible.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.responsible.pe.imphash: - dashed_name: process-responsible-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.responsible.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.responsible.pe.import_hash: - dashed_name: process-responsible-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.responsible.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.responsible.pe.imports: - dashed_name: process-responsible-pe-imports - description: List of imported element names and types. - flat_name: process.responsible.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.responsible.pe.imports_names_entropy: - dashed_name: process-responsible-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.responsible.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.responsible.pe.imports_names_var_entropy: - dashed_name: process-responsible-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.responsible.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.responsible.pe.original_file_name: - dashed_name: process-responsible-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.responsible.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.responsible.pe.pehash: - dashed_name: process-responsible-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.responsible.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.responsible.pe.product: - dashed_name: process-responsible-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.responsible.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.responsible.pe.sections: - dashed_name: process-responsible-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.responsible.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.responsible.pe.sections.entropy: - dashed_name: process-responsible-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.responsible.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.responsible.pe.sections.name: - dashed_name: process-responsible-pe-sections-name - description: PE Section List name. - flat_name: process.responsible.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.responsible.pe.sections.physical_size: - dashed_name: process-responsible-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.responsible.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.responsible.pe.sections.var_entropy: - dashed_name: process-responsible-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.responsible.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.responsible.pe.sections.virtual_size: - dashed_name: process-responsible-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.responsible.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.responsible.pid: - dashed_name: process-responsible-pid - description: Process id. - example: 4242 - flat_name: process.responsible.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.responsible.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-responsible-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.responsible.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.responsible.real_group.domain: - dashed_name: process-responsible-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.real_group.id: - dashed_name: process-responsible-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.real_group.name: - dashed_name: process-responsible-real-group-name - description: Name of the group. - flat_name: process.responsible.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.real_user.domain: - dashed_name: process-responsible-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.responsible.real_user.email: - dashed_name: process-responsible-real-user-email - description: User email address. - flat_name: process.responsible.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.responsible.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.responsible.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.responsible.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.responsible.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.responsible.real_user.entity.id: - dashed_name: process-responsible-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.responsible.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.responsible.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.responsible.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.responsible.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.responsible.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.responsible.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.responsible.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.responsible.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.responsible.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.responsible.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.responsible.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.responsible.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.responsible.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.responsible.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.responsible.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.responsible.real_user.full_name: - dashed_name: process-responsible-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.responsible.real_user.group.domain: - dashed_name: process-responsible-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.real_user.group.id: - dashed_name: process-responsible-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.real_user.group.name: - dashed_name: process-responsible-real-user-group-name - description: Name of the group. - flat_name: process.responsible.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.real_user.hash: - dashed_name: process-responsible-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.responsible.real_user.id: - dashed_name: process-responsible-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.responsible.real_user.name: - dashed_name: process-responsible-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.responsible.real_user.risk.calculated_level: - dashed_name: process-responsible-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.responsible.real_user.risk.calculated_score: - dashed_name: process-responsible-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.responsible.real_user.risk.calculated_score_norm: - dashed_name: process-responsible-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.responsible.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.responsible.real_user.risk.static_level: - dashed_name: process-responsible-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.responsible.real_user.risk.static_score: - dashed_name: process-responsible-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.responsible.real_user.risk.static_score_norm: - dashed_name: process-responsible-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.responsible.real_user.roles: - dashed_name: process-responsible-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.responsible.same_as_process: - dashed_name: process-responsible-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.responsible.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.responsible.saved_group.domain: - dashed_name: process-responsible-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.saved_group.id: - dashed_name: process-responsible-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.saved_group.name: - dashed_name: process-responsible-saved-group-name - description: Name of the group. - flat_name: process.responsible.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.saved_user.domain: - dashed_name: process-responsible-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.responsible.saved_user.email: - dashed_name: process-responsible-saved-user-email - description: User email address. - flat_name: process.responsible.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.responsible.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.responsible.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.responsible.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.responsible.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.responsible.saved_user.entity.id: - dashed_name: process-responsible-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.responsible.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.responsible.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.responsible.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.responsible.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.responsible.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.responsible.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.responsible.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.responsible.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.responsible.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.responsible.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.responsible.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.responsible.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.responsible.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.responsible.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.responsible.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.responsible.saved_user.full_name: - dashed_name: process-responsible-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.responsible.saved_user.group.domain: - dashed_name: process-responsible-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.saved_user.group.id: - dashed_name: process-responsible-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.saved_user.group.name: - dashed_name: process-responsible-saved-user-group-name - description: Name of the group. - flat_name: process.responsible.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.saved_user.hash: - dashed_name: process-responsible-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.responsible.saved_user.id: - dashed_name: process-responsible-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.responsible.saved_user.name: - dashed_name: process-responsible-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.responsible.saved_user.risk.calculated_level: - dashed_name: process-responsible-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.responsible.saved_user.risk.calculated_score: - dashed_name: process-responsible-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.responsible.saved_user.risk.calculated_score_norm: - dashed_name: process-responsible-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.responsible.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.responsible.saved_user.risk.static_level: - dashed_name: process-responsible-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.responsible.saved_user.risk.static_score: - dashed_name: process-responsible-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.responsible.saved_user.risk.static_score_norm: - dashed_name: process-responsible-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.responsible.saved_user.roles: - dashed_name: process-responsible-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.responsible.start: - dashed_name: process-responsible-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.responsible.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.responsible.supplemental_groups.domain: - dashed_name: process-responsible-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.supplemental_groups.id: - dashed_name: process-responsible-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.supplemental_groups.name: - dashed_name: process-responsible-supplemental-groups-name - description: Name of the group. - flat_name: process.responsible.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.thread.capabilities.effective: - dashed_name: process-responsible-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.responsible.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.responsible.thread.capabilities.permitted: - dashed_name: process-responsible-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.responsible.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.responsible.thread.id: - dashed_name: process-responsible-thread-id - description: Thread ID. - example: 4242 - flat_name: process.responsible.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.responsible.thread.name: - dashed_name: process-responsible-thread-name - description: Thread name. - example: thread-0 - flat_name: process.responsible.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.responsible.title: - dashed_name: process-responsible-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.responsible.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.responsible.tty: - dashed_name: process-responsible-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.responsible.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.responsible.tty.char_device.major: - dashed_name: process-responsible-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.responsible.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.responsible.tty.char_device.minor: - dashed_name: process-responsible-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.responsible.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.responsible.tty.columns: - dashed_name: process-responsible-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.responsible.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.responsible.tty.rows: - dashed_name: process-responsible-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.responsible.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.responsible.uptime: - dashed_name: process-responsible-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.responsible.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.responsible.user.domain: - dashed_name: process-responsible-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.responsible.user.email: - dashed_name: process-responsible-user-email - description: User email address. - flat_name: process.responsible.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.responsible.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.responsible.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.responsible.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.responsible.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.responsible.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.responsible.user.entity.id: - dashed_name: process-responsible-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.responsible.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.responsible.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.responsible.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.responsible.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.responsible.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.responsible.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.responsible.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.responsible.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.responsible.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.responsible.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.responsible.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.responsible.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.responsible.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.responsible.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.responsible.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.responsible.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.responsible.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.responsible.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-responsible-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.responsible.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.responsible.user.full_name: - dashed_name: process-responsible-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.responsible.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.responsible.user.group.domain: - dashed_name: process-responsible-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.responsible.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.responsible.user.group.id: - dashed_name: process-responsible-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.responsible.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.responsible.user.group.name: - dashed_name: process-responsible-user-group-name - description: Name of the group. - flat_name: process.responsible.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.responsible.user.hash: - dashed_name: process-responsible-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.responsible.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.responsible.user.id: - dashed_name: process-responsible-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.responsible.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.responsible.user.name: - dashed_name: process-responsible-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.responsible.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.responsible.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.responsible.user.risk.calculated_level: - dashed_name: process-responsible-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.responsible.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.responsible.user.risk.calculated_score: - dashed_name: process-responsible-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.responsible.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.responsible.user.risk.calculated_score_norm: - dashed_name: process-responsible-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.responsible.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.responsible.user.risk.static_level: - dashed_name: process-responsible-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.responsible.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.responsible.user.risk.static_score: - dashed_name: process-responsible-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.responsible.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.responsible.user.risk.static_score_norm: - dashed_name: process-responsible-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.responsible.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.responsible.user.roles: - dashed_name: process-responsible-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.responsible.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.responsible.vpid: - dashed_name: process-responsible-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.responsible.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.responsible.working_directory: - dashed_name: process-responsible-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.responsible.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.responsible.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.same_as_process: - dashed_name: process-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.same_as_process - level: extended - name: same_as_process - normalize: [] - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.saved_group.domain: - dashed_name: process-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.saved_group.id: - dashed_name: process-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.saved_group.name: - dashed_name: process-saved-group-name - description: Name of the group. - flat_name: process.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.saved_user.domain: - dashed_name: process-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.saved_user.email: - dashed_name: process-saved-user-email - description: User email address. - flat_name: process.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.saved_user.entity.id: - dashed_name: process-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.saved_user.full_name: - dashed_name: process-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.saved_user.group.domain: - dashed_name: process-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.saved_user.group.id: - dashed_name: process-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.saved_user.group.name: - dashed_name: process-saved-user-group-name - description: Name of the group. - flat_name: process.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.saved_user.hash: - dashed_name: process-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.saved_user.id: - dashed_name: process-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Unique identifier of the user. - type: keyword - process.saved_user.name: - dashed_name: process-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - otel: - - relation: match - short: Short name or login of the user. - type: keyword - process.saved_user.risk.calculated_level: - dashed_name: process-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.saved_user.risk.calculated_score: - dashed_name: process-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.saved_user.risk.calculated_score_norm: - dashed_name: process-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.saved_user.risk.static_level: - dashed_name: process-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.saved_user.risk.static_score: - dashed_name: process-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.saved_user.risk.static_score_norm: - dashed_name: process-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.saved_user.roles: - dashed_name: process-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.args: - dashed_name: process-session-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.session_leader.args_count: - dashed_name: process-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.session_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.session_leader.attested_groups.domain: - dashed_name: process-session-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.attested_groups.id: - dashed_name: process-session-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.attested_groups.name: - dashed_name: process-session-leader-attested-groups-name - description: Name of the group. - flat_name: process.session_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.attested_user.domain: - dashed_name: process-session-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.attested_user.email: - dashed_name: process-session-leader-attested-user-email - description: User email address. - flat_name: process.session_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.attested_user.entity.id: - dashed_name: process-session-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.attested_user.full_name: - dashed_name: process-session-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.attested_user.group.domain: - dashed_name: process-session-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.attested_user.group.id: - dashed_name: process-session-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.attested_user.group.name: - dashed_name: process-session-leader-attested-user-group-name - description: Name of the group. - flat_name: process.session_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.attested_user.hash: - dashed_name: process-session-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.attested_user.id: - dashed_name: process-session-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.attested_user.name: - dashed_name: process-session-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.attested_user.risk.calculated_level: - dashed_name: process-session-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.attested_user.risk.calculated_score: - dashed_name: process-session-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-session-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.attested_user.risk.static_level: - dashed_name: process-session-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.attested_user.risk.static_score: - dashed_name: process-session-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.attested_user.risk.static_score_norm: - dashed_name: process-session-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.attested_user.roles: - dashed_name: process-session-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.code_signature.digest_algorithm: - dashed_name: process-session-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.session_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.session_leader.code_signature.exists: - dashed_name: process-session-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.session_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.session_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.session_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.session_leader.code_signature.signing_id: - dashed_name: process-session-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.session_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.session_leader.code_signature.status: - dashed_name: process-session-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.session_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.session_leader.code_signature.subject_name: - dashed_name: process-session-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.session_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.session_leader.code_signature.team_id: - dashed_name: process-session-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.session_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.session_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.session_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.session_leader.code_signature.timestamp: - dashed_name: process-session-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.session_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.session_leader.code_signature.trusted: - dashed_name: process-session-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.session_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.session_leader.code_signature.valid: - dashed_name: process-session-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.session_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.session_leader.command_line: - dashed_name: process-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.command_line - level: extended - multi_fields: - - flat_name: process.session_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.session_leader.elf.architecture: - dashed_name: process-session-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.session_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.session_leader.elf.byte_order: - dashed_name: process-session-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.session_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.session_leader.elf.cpu_type: - dashed_name: process-session-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.session_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.session_leader.elf.creation_date: - dashed_name: process-session-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.session_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.session_leader.elf.exports: - dashed_name: process-session-leader-elf-exports - description: List of exported element names and types. - flat_name: process.session_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.session_leader.elf.go_import_hash: - dashed_name: process-session-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.session_leader.elf.go_imports: - dashed_name: process-session-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.session_leader.elf.go_imports_names_entropy: - dashed_name: process-session-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.elf.go_imports_names_var_entropy: - dashed_name: process-session-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.elf.go_stripped: - dashed_name: process-session-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.elf.header.abi_version: - dashed_name: process-session-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.session_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.session_leader.elf.header.class: - dashed_name: process-session-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.session_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.session_leader.elf.header.data: - dashed_name: process-session-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.session_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.session_leader.elf.header.entrypoint: - dashed_name: process-session-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.session_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.session_leader.elf.header.object_version: - dashed_name: process-session-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.session_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.session_leader.elf.header.os_abi: - dashed_name: process-session-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.session_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.session_leader.elf.header.type: - dashed_name: process-session-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.session_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.session_leader.elf.header.version: - dashed_name: process-session-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.session_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.session_leader.elf.import_hash: - dashed_name: process-session-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.session_leader.elf.imports: - dashed_name: process-session-leader-elf-imports - description: List of imported element names and types. - flat_name: process.session_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.session_leader.elf.imports_names_entropy: - dashed_name: process-session-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.elf.imports_names_var_entropy: - dashed_name: process-session-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.elf.sections: - dashed_name: process-session-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.session_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.session_leader.elf.sections.chi2: - dashed_name: process-session-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.session_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.session_leader.elf.sections.entropy: - dashed_name: process-session-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.session_leader.elf.sections.flags: - dashed_name: process-session-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.session_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.session_leader.elf.sections.name: - dashed_name: process-session-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.session_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.session_leader.elf.sections.physical_offset: - dashed_name: process-session-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.session_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.session_leader.elf.sections.physical_size: - dashed_name: process-session-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.session_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.session_leader.elf.sections.type: - dashed_name: process-session-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.session_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.session_leader.elf.sections.var_entropy: - dashed_name: process-session-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.elf.sections.virtual_address: - dashed_name: process-session-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.session_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.session_leader.elf.sections.virtual_size: - dashed_name: process-session-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.session_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.session_leader.elf.segments: - dashed_name: process-session-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.session_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.session_leader.elf.segments.sections: - dashed_name: process-session-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.session_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.session_leader.elf.segments.type: - dashed_name: process-session-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.session_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.session_leader.elf.shared_libraries: - dashed_name: process-session-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.session_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.session_leader.elf.telfhash: - dashed_name: process-session-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.session_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.session_leader.end: - dashed_name: process-session-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.session_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.session_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.session_leader.entity_id: - dashed_name: process-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.session_leader.entry_meta.source.address: - dashed_name: process-session-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.session_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.session_leader.entry_meta.source.as.number: - dashed_name: process-session-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.session_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.session_leader.entry_meta.source.as.organization.name: - dashed_name: process-session-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.session_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.session_leader.entry_meta.source.bytes: - dashed_name: process-session-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.session_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.session_leader.entry_meta.source.domain: - dashed_name: process-session-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.session_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.session_leader.entry_meta.source.geo.city_name: - dashed_name: process-session-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.session_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.session_leader.entry_meta.source.geo.continent_code: - dashed_name: process-session-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.session_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.session_leader.entry_meta.source.geo.continent_name: - dashed_name: process-session-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.session_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.session_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.session_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.session_leader.entry_meta.source.geo.country_name: - dashed_name: process-session-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.session_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.session_leader.entry_meta.source.geo.location: - dashed_name: process-session-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.session_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.session_leader.entry_meta.source.geo.name: - dashed_name: process-session-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.session_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.session_leader.entry_meta.source.geo.postal_code: - dashed_name: process-session-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.session_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.session_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.session_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.session_leader.entry_meta.source.geo.region_name: - dashed_name: process-session-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.session_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.session_leader.entry_meta.source.geo.timezone: - dashed_name: process-session-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.session_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.session_leader.entry_meta.source.ip: - dashed_name: process-session-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.session_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.session_leader.entry_meta.source.mac: - dashed_name: process-session-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.session_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.session_leader.entry_meta.source.nat.ip: - dashed_name: process-session-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.session_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.session_leader.entry_meta.source.nat.port: - dashed_name: process-session-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.session_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.session_leader.entry_meta.source.packets: - dashed_name: process-session-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.session_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.session_leader.entry_meta.source.port: - dashed_name: process-session-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.session_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.session_leader.entry_meta.source.registered_domain: - dashed_name: process-session-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.session_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.session_leader.entry_meta.source.subdomain: - dashed_name: process-session-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.session_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.session_leader.entry_meta.source.top_level_domain: - dashed_name: process-session-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.session_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.session_leader.entry_meta.type: - dashed_name: process-session-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.session_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.session_leader.env_vars: - dashed_name: process-session-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.session_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.session_leader.executable: - dashed_name: process-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.session_leader.exit_code: - dashed_name: process-session-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.session_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.session_leader.group.domain: - dashed_name: process-session-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.group.id: - dashed_name: process-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.group.name: - dashed_name: process-session-leader-group-name - description: Name of the group. - flat_name: process.session_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.session_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.session_leader.hash.md5: - dashed_name: process-session-leader-hash-md5 - description: MD5 hash. - flat_name: process.session_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.session_leader.hash.sha1: - dashed_name: process-session-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.session_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.session_leader.hash.sha256: - dashed_name: process-session-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.session_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.session_leader.hash.sha384: - dashed_name: process-session-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.session_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.session_leader.hash.sha512: - dashed_name: process-session-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.session_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.session_leader.hash.ssdeep: - dashed_name: process-session-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.session_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.session_leader.hash.tlsh: - dashed_name: process-session-leader-hash-tlsh - description: TLSH hash. - flat_name: process.session_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.session_leader.interactive: - dashed_name: process-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.session_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.session_leader.io: - dashed_name: process-session-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.session_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.session_leader.io.bytes_skipped: - dashed_name: process-session-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.session_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.session_leader.io.bytes_skipped.length: - dashed_name: process-session-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.session_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.session_leader.io.bytes_skipped.offset: - dashed_name: process-session-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.session_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.session_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-session-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.session_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.session_leader.io.text: - dashed_name: process-session-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.session_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.session_leader.io.total_bytes_captured: - dashed_name: process-session-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.session_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.session_leader.io.total_bytes_skipped: - dashed_name: process-session-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.session_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.session_leader.io.type: - dashed_name: process-session-leader-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.session_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.session_leader.macho.go_import_hash: - dashed_name: process-session-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.session_leader.macho.go_imports: - dashed_name: process-session-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.session_leader.macho.go_imports_names_entropy: - dashed_name: process-session-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.macho.go_imports_names_var_entropy: - dashed_name: process-session-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.macho.go_stripped: - dashed_name: process-session-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.macho.import_hash: - dashed_name: process-session-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.session_leader.macho.imports: - dashed_name: process-session-leader-macho-imports - description: List of imported element names and types. - flat_name: process.session_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.session_leader.macho.imports_names_entropy: - dashed_name: process-session-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.macho.imports_names_var_entropy: - dashed_name: process-session-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.macho.sections: - dashed_name: process-session-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.session_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.session_leader.macho.sections.entropy: - dashed_name: process-session-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.session_leader.macho.sections.name: - dashed_name: process-session-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.session_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.session_leader.macho.sections.physical_size: - dashed_name: process-session-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.session_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.session_leader.macho.sections.var_entropy: - dashed_name: process-session-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.macho.sections.virtual_size: - dashed_name: process-session-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.session_leader.macho.symhash: - dashed_name: process-session-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.session_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.session_leader.name: - dashed_name: process-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.session_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.session_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.session_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.session_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.session_leader.parent.args: - dashed_name: process-session-leader-parent-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.parent.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.session_leader.parent.args_count: - dashed_name: process-session-leader-parent-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.session_leader.parent.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.session_leader.parent.attested_groups.domain: - dashed_name: process-session-leader-parent-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.attested_groups.id: - dashed_name: process-session-leader-parent-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.attested_groups.name: - dashed_name: process-session-leader-parent-attested-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.attested_user.domain: - dashed_name: process-session-leader-parent-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.attested_user.email: - dashed_name: process-session-leader-parent-attested-user-email - description: User email address. - flat_name: process.session_leader.parent.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.attested_user.entity.id: - dashed_name: process-session-leader-parent-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.attested_user.full_name: - dashed_name: process-session-leader-parent-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.attested_user.group.domain: - dashed_name: process-session-leader-parent-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.attested_user.group.id: - dashed_name: process-session-leader-parent-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.attested_user.group.name: - dashed_name: process-session-leader-parent-attested-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.attested_user.hash: - dashed_name: process-session-leader-parent-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.attested_user.id: - dashed_name: process-session-leader-parent-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.attested_user.name: - dashed_name: process-session-leader-parent-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.attested_user.risk.calculated_level: - dashed_name: process-session-leader-parent-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.attested_user.risk.calculated_score: - dashed_name: process-session-leader-parent-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.attested_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.attested_user.risk.static_level: - dashed_name: process-session-leader-parent-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.attested_user.risk.static_score: - dashed_name: process-session-leader-parent-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.attested_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.attested_user.roles: - dashed_name: process-session-leader-parent-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.code_signature.digest_algorithm: - dashed_name: process-session-leader-parent-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.session_leader.parent.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.session_leader.parent.code_signature.exists: - dashed_name: process-session-leader-parent-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.session_leader.parent.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.session_leader.parent.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.session_leader.parent.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.session_leader.parent.code_signature.signing_id: - dashed_name: process-session-leader-parent-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.session_leader.parent.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.session_leader.parent.code_signature.status: - dashed_name: process-session-leader-parent-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.session_leader.parent.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.session_leader.parent.code_signature.subject_name: - dashed_name: process-session-leader-parent-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.session_leader.parent.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.session_leader.parent.code_signature.team_id: - dashed_name: process-session-leader-parent-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.session_leader.parent.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.session_leader.parent.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.session_leader.parent.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.session_leader.parent.code_signature.timestamp: - dashed_name: process-session-leader-parent-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.session_leader.parent.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.session_leader.parent.code_signature.trusted: - dashed_name: process-session-leader-parent-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.session_leader.parent.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.session_leader.parent.code_signature.valid: - dashed_name: process-session-leader-parent-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.session_leader.parent.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.session_leader.parent.command_line: - dashed_name: process-session-leader-parent-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.parent.command_line - level: extended - multi_fields: - - flat_name: process.session_leader.parent.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.session_leader.parent.elf.architecture: - dashed_name: process-session-leader-parent-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.session_leader.parent.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.session_leader.parent.elf.byte_order: - dashed_name: process-session-leader-parent-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.session_leader.parent.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.session_leader.parent.elf.cpu_type: - dashed_name: process-session-leader-parent-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.session_leader.parent.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.session_leader.parent.elf.creation_date: - dashed_name: process-session-leader-parent-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.session_leader.parent.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.session_leader.parent.elf.exports: - dashed_name: process-session-leader-parent-elf-exports - description: List of exported element names and types. - flat_name: process.session_leader.parent.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.session_leader.parent.elf.go_import_hash: - dashed_name: process-session-leader-parent-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.session_leader.parent.elf.go_imports: - dashed_name: process-session-leader-parent-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.session_leader.parent.elf.go_imports_names_entropy: - dashed_name: process-session-leader-parent-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.elf.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.elf.go_stripped: - dashed_name: process-session-leader-parent-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.parent.elf.header.abi_version: - dashed_name: process-session-leader-parent-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.session_leader.parent.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.session_leader.parent.elf.header.class: - dashed_name: process-session-leader-parent-elf-header-class - description: Header class of the ELF file. - flat_name: process.session_leader.parent.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.session_leader.parent.elf.header.data: - dashed_name: process-session-leader-parent-elf-header-data - description: Data table of the ELF header. - flat_name: process.session_leader.parent.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.session_leader.parent.elf.header.entrypoint: - dashed_name: process-session-leader-parent-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.session_leader.parent.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.session_leader.parent.elf.header.object_version: - dashed_name: process-session-leader-parent-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.session_leader.parent.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.session_leader.parent.elf.header.os_abi: - dashed_name: process-session-leader-parent-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.session_leader.parent.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.session_leader.parent.elf.header.type: - dashed_name: process-session-leader-parent-elf-header-type - description: Header type of the ELF file. - flat_name: process.session_leader.parent.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.session_leader.parent.elf.header.version: - dashed_name: process-session-leader-parent-elf-header-version - description: Version of the ELF header. - flat_name: process.session_leader.parent.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.session_leader.parent.elf.import_hash: - dashed_name: process-session-leader-parent-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.session_leader.parent.elf.imports: - dashed_name: process-session-leader-parent-elf-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.session_leader.parent.elf.imports_names_entropy: - dashed_name: process-session-leader-parent-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.parent.elf.imports_names_var_entropy: - dashed_name: process-session-leader-parent-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.parent.elf.sections: - dashed_name: process-session-leader-parent-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.session_leader.parent.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.session_leader.parent.elf.sections.chi2: - dashed_name: process-session-leader-parent-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.session_leader.parent.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.session_leader.parent.elf.sections.entropy: - dashed_name: process-session-leader-parent-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.session_leader.parent.elf.sections.flags: - dashed_name: process-session-leader-parent-elf-sections-flags - description: ELF Section List flags. - flat_name: process.session_leader.parent.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.session_leader.parent.elf.sections.name: - dashed_name: process-session-leader-parent-elf-sections-name - description: ELF Section List name. - flat_name: process.session_leader.parent.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.session_leader.parent.elf.sections.physical_offset: - dashed_name: process-session-leader-parent-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.session_leader.parent.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.session_leader.parent.elf.sections.physical_size: - dashed_name: process-session-leader-parent-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.session_leader.parent.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.session_leader.parent.elf.sections.type: - dashed_name: process-session-leader-parent-elf-sections-type - description: ELF Section List type. - flat_name: process.session_leader.parent.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.session_leader.parent.elf.sections.var_entropy: - dashed_name: process-session-leader-parent-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.parent.elf.sections.virtual_address: - dashed_name: process-session-leader-parent-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.session_leader.parent.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.session_leader.parent.elf.sections.virtual_size: - dashed_name: process-session-leader-parent-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.session_leader.parent.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.session_leader.parent.elf.segments: - dashed_name: process-session-leader-parent-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.session_leader.parent.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.session_leader.parent.elf.segments.sections: - dashed_name: process-session-leader-parent-elf-segments-sections - description: ELF object segment sections. - flat_name: process.session_leader.parent.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.session_leader.parent.elf.segments.type: - dashed_name: process-session-leader-parent-elf-segments-type - description: ELF object segment type. - flat_name: process.session_leader.parent.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.session_leader.parent.elf.shared_libraries: - dashed_name: process-session-leader-parent-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.session_leader.parent.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.session_leader.parent.elf.telfhash: - dashed_name: process-session-leader-parent-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.session_leader.parent.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.session_leader.parent.end: - dashed_name: process-session-leader-parent-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.session_leader.parent.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.session_leader.parent.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.session_leader.parent.entity_id: - dashed_name: process-session-leader-parent-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.session_leader.parent.entry_meta.source.address: - dashed_name: process-session-leader-parent-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.session_leader.parent.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.session_leader.parent.entry_meta.source.as.number: - dashed_name: process-session-leader-parent-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.session_leader.parent.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.session_leader.parent.entry_meta.source.as.organization.name: - dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.session_leader.parent.entry_meta.source.bytes: - dashed_name: process-session-leader-parent-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.session_leader.parent.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.session_leader.parent.entry_meta.source.domain: - dashed_name: process-session-leader-parent-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.session_leader.parent.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.session_leader.parent.entry_meta.source.geo.city_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.session_leader.parent.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.session_leader.parent.entry_meta.source.geo.continent_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.session_leader.parent.entry_meta.source.geo.continent_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.session_leader.parent.entry_meta.source.geo.country_iso_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.session_leader.parent.entry_meta.source.geo.country_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.session_leader.parent.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.session_leader.parent.entry_meta.source.geo.location: - dashed_name: process-session-leader-parent-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.session_leader.parent.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.session_leader.parent.entry_meta.source.geo.name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.session_leader.parent.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.session_leader.parent.entry_meta.source.geo.postal_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.session_leader.parent.entry_meta.source.geo.region_iso_code: - dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.session_leader.parent.entry_meta.source.geo.region_name: - dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.session_leader.parent.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.session_leader.parent.entry_meta.source.geo.timezone: - dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.session_leader.parent.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.session_leader.parent.entry_meta.source.ip: - dashed_name: process-session-leader-parent-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.session_leader.parent.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.session_leader.parent.entry_meta.source.mac: - dashed_name: process-session-leader-parent-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.session_leader.parent.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.session_leader.parent.entry_meta.source.nat.ip: - dashed_name: process-session-leader-parent-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.session_leader.parent.entry_meta.source.nat.port: - dashed_name: process-session-leader-parent-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.session_leader.parent.entry_meta.source.packets: - dashed_name: process-session-leader-parent-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.session_leader.parent.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.session_leader.parent.entry_meta.source.port: - dashed_name: process-session-leader-parent-entry-meta-source-port - description: Port of the source. - flat_name: process.session_leader.parent.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.session_leader.parent.entry_meta.source.registered_domain: - dashed_name: process-session-leader-parent-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.session_leader.parent.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.session_leader.parent.entry_meta.source.subdomain: - dashed_name: process-session-leader-parent-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.session_leader.parent.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.session_leader.parent.entry_meta.source.top_level_domain: - dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.session_leader.parent.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.session_leader.parent.entry_meta.type: - dashed_name: process-session-leader-parent-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.session_leader.parent.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.session_leader.parent.env_vars: - dashed_name: process-session-leader-parent-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.session_leader.parent.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.executable: - dashed_name: process-session-leader-parent-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.parent.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.session_leader.parent.exit_code: - dashed_name: process-session-leader-parent-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.session_leader.parent.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.session_leader.parent.group.domain: - dashed_name: process-session-leader-parent-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.group.id: - dashed_name: process-session-leader-parent-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.group.name: - dashed_name: process-session-leader-parent-group-name - description: Name of the group. - flat_name: process.session_leader.parent.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.session_leader.parent.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.session_leader.parent.hash.md5: - dashed_name: process-session-leader-parent-hash-md5 - description: MD5 hash. - flat_name: process.session_leader.parent.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.session_leader.parent.hash.sha1: - dashed_name: process-session-leader-parent-hash-sha1 - description: SHA1 hash. - flat_name: process.session_leader.parent.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.session_leader.parent.hash.sha256: - dashed_name: process-session-leader-parent-hash-sha256 - description: SHA256 hash. - flat_name: process.session_leader.parent.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.session_leader.parent.hash.sha384: - dashed_name: process-session-leader-parent-hash-sha384 - description: SHA384 hash. - flat_name: process.session_leader.parent.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.session_leader.parent.hash.sha512: - dashed_name: process-session-leader-parent-hash-sha512 - description: SHA512 hash. - flat_name: process.session_leader.parent.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.session_leader.parent.hash.ssdeep: - dashed_name: process-session-leader-parent-hash-ssdeep - description: SSDEEP hash. - flat_name: process.session_leader.parent.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.session_leader.parent.hash.tlsh: - dashed_name: process-session-leader-parent-hash-tlsh - description: TLSH hash. - flat_name: process.session_leader.parent.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.session_leader.parent.interactive: - dashed_name: process-session-leader-parent-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.session_leader.parent.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.session_leader.parent.io: - dashed_name: process-session-leader-parent-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.session_leader.parent.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.session_leader.parent.io.bytes_skipped: - dashed_name: process-session-leader-parent-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.session_leader.parent.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.session_leader.parent.io.bytes_skipped.length: - dashed_name: process-session-leader-parent-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.session_leader.parent.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.session_leader.parent.io.bytes_skipped.offset: - dashed_name: process-session-leader-parent-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.session_leader.parent.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.session_leader.parent.io.max_bytes_per_process_exceeded: - dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.session_leader.parent.io.text: - dashed_name: process-session-leader-parent-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.session_leader.parent.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.session_leader.parent.io.total_bytes_captured: - dashed_name: process-session-leader-parent-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.session_leader.parent.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.session_leader.parent.io.total_bytes_skipped: - dashed_name: process-session-leader-parent-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.session_leader.parent.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.session_leader.parent.io.type: - dashed_name: process-session-leader-parent-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.session_leader.parent.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.session_leader.parent.macho.go_import_hash: - dashed_name: process-session-leader-parent-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.session_leader.parent.macho.go_imports: - dashed_name: process-session-leader-parent-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.session_leader.parent.macho.go_imports_names_entropy: - dashed_name: process-session-leader-parent-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.macho.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.macho.go_stripped: - dashed_name: process-session-leader-parent-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.parent.macho.import_hash: - dashed_name: process-session-leader-parent-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.session_leader.parent.macho.imports: - dashed_name: process-session-leader-parent-macho-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.session_leader.parent.macho.imports_names_entropy: - dashed_name: process-session-leader-parent-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.parent.macho.imports_names_var_entropy: - dashed_name: process-session-leader-parent-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.parent.macho.sections: - dashed_name: process-session-leader-parent-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.session_leader.parent.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.session_leader.parent.macho.sections.entropy: - dashed_name: process-session-leader-parent-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.session_leader.parent.macho.sections.name: - dashed_name: process-session-leader-parent-macho-sections-name - description: Mach-O Section List name. - flat_name: process.session_leader.parent.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.session_leader.parent.macho.sections.physical_size: - dashed_name: process-session-leader-parent-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.session_leader.parent.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.session_leader.parent.macho.sections.var_entropy: - dashed_name: process-session-leader-parent-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.parent.macho.sections.virtual_size: - dashed_name: process-session-leader-parent-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.session_leader.parent.macho.symhash: - dashed_name: process-session-leader-parent-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.session_leader.parent.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.session_leader.parent.name: - dashed_name: process-session-leader-parent-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.parent.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.session_leader.parent.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.session_leader.parent.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.session_leader.parent.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.session_leader.parent.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.session_leader.parent.pe.architecture: - dashed_name: process-session-leader-parent-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.session_leader.parent.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.session_leader.parent.pe.company: - dashed_name: process-session-leader-parent-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.session_leader.parent.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.session_leader.parent.pe.description: - dashed_name: process-session-leader-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.session_leader.parent.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.session_leader.parent.pe.file_version: - dashed_name: process-session-leader-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.session_leader.parent.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.session_leader.parent.pe.go_import_hash: - dashed_name: process-session-leader-parent-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.session_leader.parent.pe.go_imports: - dashed_name: process-session-leader-parent-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.session_leader.parent.pe.go_imports_names_entropy: - dashed_name: process-session-leader-parent-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.pe.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.pe.go_stripped: - dashed_name: process-session-leader-parent-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.parent.pe.imphash: - dashed_name: process-session-leader-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.session_leader.parent.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.session_leader.parent.pe.import_hash: - dashed_name: process-session-leader-parent-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.session_leader.parent.pe.imports: - dashed_name: process-session-leader-parent-pe-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.session_leader.parent.pe.imports_names_entropy: - dashed_name: process-session-leader-parent-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.parent.pe.imports_names_var_entropy: - dashed_name: process-session-leader-parent-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.parent.pe.original_file_name: - dashed_name: process-session-leader-parent-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.session_leader.parent.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.session_leader.parent.pe.pehash: - dashed_name: process-session-leader-parent-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.session_leader.parent.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.session_leader.parent.pe.product: - dashed_name: process-session-leader-parent-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.session_leader.parent.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.session_leader.parent.pe.sections: - dashed_name: process-session-leader-parent-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.session_leader.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.session_leader.parent.pe.sections.entropy: - dashed_name: process-session-leader-parent-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.session_leader.parent.pe.sections.name: - dashed_name: process-session-leader-parent-pe-sections-name - description: PE Section List name. - flat_name: process.session_leader.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.session_leader.parent.pe.sections.physical_size: - dashed_name: process-session-leader-parent-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.session_leader.parent.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.session_leader.parent.pe.sections.var_entropy: - dashed_name: process-session-leader-parent-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.parent.pe.sections.virtual_size: - dashed_name: process-session-leader-parent-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.session_leader.parent.pid: - dashed_name: process-session-leader-parent-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.session_leader.parent.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.session_leader.parent.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.session_leader.parent.real_group.domain: - dashed_name: process-session-leader-parent-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.real_group.id: - dashed_name: process-session-leader-parent-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.real_group.name: - dashed_name: process-session-leader-parent-real-group-name - description: Name of the group. - flat_name: process.session_leader.parent.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.real_user.domain: - dashed_name: process-session-leader-parent-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.real_user.email: - dashed_name: process-session-leader-parent-real-user-email - description: User email address. - flat_name: process.session_leader.parent.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.real_user.entity.id: - dashed_name: process-session-leader-parent-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.real_user.full_name: - dashed_name: process-session-leader-parent-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.real_user.group.domain: - dashed_name: process-session-leader-parent-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.real_user.group.id: - dashed_name: process-session-leader-parent-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.real_user.group.name: - dashed_name: process-session-leader-parent-real-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.real_user.hash: - dashed_name: process-session-leader-parent-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.real_user.id: - dashed_name: process-session-leader-parent-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.real_user.name: - dashed_name: process-session-leader-parent-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.real_user.risk.calculated_level: - dashed_name: process-session-leader-parent-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.real_user.risk.calculated_score: - dashed_name: process-session-leader-parent-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.real_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.real_user.risk.static_level: - dashed_name: process-session-leader-parent-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.real_user.risk.static_score: - dashed_name: process-session-leader-parent-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.real_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.real_user.roles: - dashed_name: process-session-leader-parent-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.same_as_process: - dashed_name: process-session-leader-parent-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.session_leader.parent.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.session_leader.parent.saved_group.domain: - dashed_name: process-session-leader-parent-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.saved_group.id: - dashed_name: process-session-leader-parent-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.saved_group.name: - dashed_name: process-session-leader-parent-saved-group-name - description: Name of the group. - flat_name: process.session_leader.parent.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.saved_user.domain: - dashed_name: process-session-leader-parent-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.saved_user.email: - dashed_name: process-session-leader-parent-saved-user-email - description: User email address. - flat_name: process.session_leader.parent.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.saved_user.entity.id: - dashed_name: process-session-leader-parent-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.saved_user.full_name: - dashed_name: process-session-leader-parent-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.saved_user.group.domain: - dashed_name: process-session-leader-parent-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.saved_user.group.id: - dashed_name: process-session-leader-parent-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.saved_user.group.name: - dashed_name: process-session-leader-parent-saved-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.saved_user.hash: - dashed_name: process-session-leader-parent-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.saved_user.id: - dashed_name: process-session-leader-parent-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.saved_user.name: - dashed_name: process-session-leader-parent-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.saved_user.risk.calculated_level: - dashed_name: process-session-leader-parent-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.saved_user.risk.calculated_score: - dashed_name: process-session-leader-parent-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.saved_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.saved_user.risk.static_level: - dashed_name: process-session-leader-parent-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.saved_user.risk.static_score: - dashed_name: process-session-leader-parent-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.saved_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.saved_user.roles: - dashed_name: process-session-leader-parent-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.args: - dashed_name: process-session-leader-parent-session-leader-args - description: 'Array of process arguments, starting with the absolute path to - the executable. - - May be filtered to protect sensitive information.' - example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - flat_name: process.session_leader.parent.session_leader.args - ignore_above: 1024 - level: extended - name: args - normalize: - - array - original_fieldset: process - short: Array of process arguments. - type: keyword - process.session_leader.parent.session_leader.args_count: - dashed_name: process-session-leader-parent-session-leader-args-count - description: 'Length of the process.args array. - - This field can be useful for querying or performing bucket analysis on how - many arguments were provided to start a process. More arguments may be an - indication of suspicious activity.' - example: 4 - flat_name: process.session_leader.parent.session_leader.args_count - level: extended - name: args_count - normalize: [] - original_fieldset: process - short: Length of the process.args array. - type: long - process.session_leader.parent.session_leader.attested_groups.domain: - dashed_name: process-session-leader-parent-session-leader-attested-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.attested_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.attested_groups.id: - dashed_name: process-session-leader-parent-session-leader-attested-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.attested_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.attested_groups.name: - dashed_name: process-session-leader-parent-session-leader-attested-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.attested_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.attested_user.domain: - dashed_name: process-session-leader-parent-session-leader-attested-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.attested_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.session_leader.attested_user.email: - dashed_name: process-session-leader-parent-session-leader-attested-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.attested_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.session_leader.attested_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.session_leader.attested_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.id: - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.session_leader.attested_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.session_leader.attested_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.session_leader.attested_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.session_leader.attested_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.session_leader.attested_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.session_leader.attested_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.session_leader.attested_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.attested_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.session_leader.attested_user.full_name: - dashed_name: process-session-leader-parent-session-leader-attested-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.attested_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.session_leader.attested_user.group.domain: - dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.attested_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.attested_user.group.id: - dashed_name: process-session-leader-parent-session-leader-attested-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.attested_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.attested_user.group.name: - dashed_name: process-session-leader-parent-session-leader-attested-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.attested_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.attested_user.hash: - dashed_name: process-session-leader-parent-session-leader-attested-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.attested_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.session_leader.attested_user.id: - dashed_name: process-session-leader-parent-session-leader-attested-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.attested_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.session_leader.attested_user.name: - dashed_name: process-session-leader-parent-session-leader-attested-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.attested_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.attested_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.session_leader.attested_user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.session_leader.attested_user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.session_leader.attested_user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.session_leader.attested_user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.session_leader.attested_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.session_leader.attested_user.roles: - dashed_name: process-session-leader-parent-session-leader-attested-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.attested_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.code_signature.digest_algorithm: - dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm - description: 'The hashing algorithm used to sign the process. - - This value can distinguish signatures when a file is signed multiple times - by the same signer but with a different digest algorithm.' - example: sha256 - flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm - ignore_above: 1024 - level: extended - name: digest_algorithm - normalize: [] - original_fieldset: code_signature - short: Hashing algorithm used to sign the process. - type: keyword - process.session_leader.parent.session_leader.code_signature.exists: - dashed_name: process-session-leader-parent-session-leader-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: process.session_leader.parent.session_leader.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - process.session_leader.parent.session_leader.code_signature.flags: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-code-signature-flags - description: The flags used to sign the process. - example: 570522385 - flat_name: process.session_leader.parent.session_leader.code_signature.flags - ignore_above: 1024 - level: extended - name: flags - normalize: [] - original_fieldset: code_signature - short: Code signing flags of the process - type: keyword - process.session_leader.parent.session_leader.code_signature.signing_id: - dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: process.session_leader.parent.session_leader.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - process.session_leader.parent.session_leader.code_signature.status: - dashed_name: process-session-leader-parent-session-leader-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: process.session_leader.parent.session_leader.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - process.session_leader.parent.session_leader.code_signature.subject_name: - dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: process.session_leader.parent.session_leader.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - process.session_leader.parent.session_leader.code_signature.team_id: - dashed_name: process-session-leader-parent-session-leader-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: process.session_leader.parent.session_leader.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword - process.session_leader.parent.session_leader.code_signature.thumbprint_sha256: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256 - description: Certificate SHA256 hash that uniquely identifies the code signer. - example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b - flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256 - ignore_above: 64 - level: extended - name: thumbprint_sha256 - normalize: [] - original_fieldset: code_signature - pattern: ^[0-9a-f]{64}$ - short: SHA256 hash of the certificate. - type: keyword - process.session_leader.parent.session_leader.code_signature.timestamp: - dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp - description: Date and time when the code signature was generated and signed. - example: '2021-01-01T12:10:30Z' - flat_name: process.session_leader.parent.session_leader.code_signature.timestamp - level: extended - name: timestamp - normalize: [] - original_fieldset: code_signature - short: When the signature was generated and signed. - type: date - process.session_leader.parent.session_leader.code_signature.trusted: - dashed_name: process-session-leader-parent-session-leader-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: process.session_leader.parent.session_leader.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - process.session_leader.parent.session_leader.code_signature.valid: - dashed_name: process-session-leader-parent-session-leader-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: process.session_leader.parent.session_leader.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - process.session_leader.parent.session_leader.command_line: - dashed_name: process-session-leader-parent-session-leader-command-line - description: 'Full command line that started the process, including the absolute - path to the executable, and all arguments. - - Some arguments may be filtered to protect sensitive information.' - example: /usr/bin/ssh -l user 10.0.0.16 - flat_name: process.session_leader.parent.session_leader.command_line - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.command_line.text - name: text - type: match_only_text - name: command_line - normalize: [] - original_fieldset: process - short: Full command line that started the process. - type: wildcard - process.session_leader.parent.session_leader.elf.architecture: - dashed_name: process-session-leader-parent-session-leader-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: process.session_leader.parent.session_leader.elf.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.byte_order: - dashed_name: process-session-leader-parent-session-leader-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: process.session_leader.parent.session_leader.elf.byte_order - ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.cpu_type: - dashed_name: process-session-leader-parent-session-leader-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: process.session_leader.parent.session_leader.elf.cpu_type - ignore_above: 1024 - level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.creation_date: - dashed_name: process-session-leader-parent-session-leader-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: process.session_leader.parent.session_leader.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - process.session_leader.parent.session_leader.elf.exports: - dashed_name: process-session-leader-parent-session-leader-elf-exports - description: List of exported element names and types. - flat_name: process.session_leader.parent.session_leader.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - process.session_leader.parent.session_leader.elf.go_import_hash: - dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash - description: 'A hash of the Go language imports in an ELF file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.session_leader.elf.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: elf - short: A hash of the Go language imports in an ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.go_imports: - dashed_name: process-session-leader-parent-session-leader-elf-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.session_leader.elf.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: elf - short: List of imported Go language element names and types. - type: flattened - process.session_leader.parent.session_leader.elf.go_imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.session_leader.elf.go_stripped: - dashed_name: process-session-leader-parent-session-leader-elf-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.session_leader.elf.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: elf - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.parent.session_leader.elf.header.abi_version: - dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: process.session_leader.parent.session_leader.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword - process.session_leader.parent.session_leader.elf.header.class: - dashed_name: process-session-leader-parent-session-leader-elf-header-class - description: Header class of the ELF file. - flat_name: process.session_leader.parent.session_leader.elf.header.class - ignore_above: 1024 - level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.header.data: - dashed_name: process-session-leader-parent-session-leader-elf-header-data - description: Data table of the ELF header. - flat_name: process.session_leader.parent.session_leader.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. - type: keyword - process.session_leader.parent.session_leader.elf.header.entrypoint: - dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - process.session_leader.parent.session_leader.elf.header.object_version: - dashed_name: process-session-leader-parent-session-leader-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: process.session_leader.parent.session_leader.elf.header.object_version - ignore_above: 1024 - level: extended - name: header.object_version - normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - process.session_leader.parent.session_leader.elf.header.os_abi: - dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: process.session_leader.parent.session_leader.elf.header.os_abi - ignore_above: 1024 - level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - process.session_leader.parent.session_leader.elf.header.type: - dashed_name: process-session-leader-parent-session-leader-elf-header-type - description: Header type of the ELF file. - flat_name: process.session_leader.parent.session_leader.elf.header.type - ignore_above: 1024 - level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.header.version: - dashed_name: process-session-leader-parent-session-leader-elf-header-version - description: Version of the ELF header. - flat_name: process.session_leader.parent.session_leader.elf.header.version - ignore_above: 1024 - level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - process.session_leader.parent.session_leader.elf.import_hash: - dashed_name: process-session-leader-parent-session-leader-elf-import-hash - description: 'A hash of the imports in an ELF file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is an ELF implementation of the Windows PE imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.session_leader.elf.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: elf - short: A hash of the imports in an ELF file. - type: keyword - process.session_leader.parent.session_leader.elf.imports: - dashed_name: process-session-leader-parent-session-leader-elf-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.session_leader.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - process.session_leader.parent.session_leader.elf.imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.parent.session_leader.elf.imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.parent.session_leader.elf.sections: - dashed_name: process-session-leader-parent-session-leader-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: process.session_leader.parent.session_leader.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - process.session_leader.parent.session_leader.elf.sections.chi2: - dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: process.session_leader.parent.session_leader.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - process.session_leader.parent.session_leader.elf.sections.entropy: - dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - process.session_leader.parent.session_leader.elf.sections.flags: - dashed_name: process-session-leader-parent-session-leader-elf-sections-flags - description: ELF Section List flags. - flat_name: process.session_leader.parent.session_leader.elf.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - process.session_leader.parent.session_leader.elf.sections.name: - dashed_name: process-session-leader-parent-session-leader-elf-sections-name - description: ELF Section List name. - flat_name: process.session_leader.parent.session_leader.elf.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - process.session_leader.parent.session_leader.elf.sections.physical_offset: - dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - process.session_leader.parent.session_leader.elf.sections.physical_size: - dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - process.session_leader.parent.session_leader.elf.sections.type: - dashed_name: process-session-leader-parent-session-leader-elf-sections-type - description: ELF Section List type. - flat_name: process.session_leader.parent.session_leader.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - process.session_leader.parent.session_leader.elf.sections.var_entropy: - dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: elf - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.parent.session_leader.elf.sections.virtual_address: - dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - process.session_leader.parent.session_leader.elf.sections.virtual_size: - dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - process.session_leader.parent.session_leader.elf.segments: - dashed_name: process-session-leader-parent-session-leader-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: process.session_leader.parent.session_leader.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - process.session_leader.parent.session_leader.elf.segments.sections: - dashed_name: process-session-leader-parent-session-leader-elf-segments-sections - description: ELF object segment sections. - flat_name: process.session_leader.parent.session_leader.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - process.session_leader.parent.session_leader.elf.segments.type: - dashed_name: process-session-leader-parent-session-leader-elf-segments-type - description: ELF object segment type. - flat_name: process.session_leader.parent.session_leader.elf.segments.type - ignore_above: 1024 - level: extended - name: segments.type - normalize: [] - original_fieldset: elf - short: ELF object segment type. - type: keyword - process.session_leader.parent.session_leader.elf.shared_libraries: - dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: process.session_leader.parent.session_leader.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - process.session_leader.parent.session_leader.elf.telfhash: - dashed_name: process-session-leader-parent-session-leader-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: process.session_leader.parent.session_leader.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - process.session_leader.parent.session_leader.end: - dashed_name: process-session-leader-parent-session-leader-end - description: The time the process ended. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.session_leader.end - level: extended - name: end - normalize: [] - original_fieldset: process - short: The time the process ended. - type: date - process.session_leader.parent.session_leader.endpoint_security_client: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-endpoint-security-client - description: Processes that have an endpoint security client must have the com.apple.endpointsecurity - entitlement and the value is set to true in the message. - flat_name: process.session_leader.parent.session_leader.endpoint_security_client - level: extended - name: endpoint_security_client - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is an Endpoint Security client. - type: boolean - process.session_leader.parent.session_leader.entity_id: - dashed_name: process-session-leader-parent-session-leader-entity-id - description: 'Unique identifier for the process. - - The implementation of this is specified by the data source, but some examples - of what could be used here are a process-generated UUID, Sysmon Process GUIDs, - or a hash of some uniquely identifying components of a process. - - Constructing a globally unique identifier is a common practice to mitigate - PID reuse as well as to identify a specific process over time, across multiple - monitored hosts.' - example: c2c455d9f99375d - flat_name: process.session_leader.parent.session_leader.entity_id - ignore_above: 1024 - level: extended - name: entity_id - normalize: [] - original_fieldset: process - short: Unique identifier for the process. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.address: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address - description: 'Some event source addresses are defined ambiguously. The event - will sometimes list an IP, a domain or a unix socket. You should always store - the raw address in the `.address` field. - - Then it should be duplicated to `.ip` or `.domain`, depending on which one - it is.' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.address - ignore_above: 1024 - level: extended - name: address - normalize: [] - original_fieldset: source - short: Source network address. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.as.number: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - process.session_leader.parent.session_leader.entry_meta.source.as.organization.name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name - description: Organization name. - example: Google LLC - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text - name: text - type: match_only_text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.bytes: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes - description: Bytes sent from the source to the destination. - example: 184 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes - format: bytes - level: core - name: bytes - normalize: [] - original_fieldset: source - short: Bytes sent from the source to the destination. - type: long - process.session_leader.parent.session_leader.entry_meta.source.domain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain - description: 'The domain name of the source system. - - This value may be a host name, a fully qualified domain name, or another host - naming format. The value may derive from the original event or be added from - enrichment.' - example: foo.example.com - flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain - ignore_above: 1024 - level: core - name: domain - normalize: [] - original_fieldset: source - short: The domain name of the source. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.city_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name - description: City name. - example: Montreal - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name - description: Name of the continent. - example: North America - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.country_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name - description: Country name. - example: Canada - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.location: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - process.session_leader.parent.session_leader.entry_meta.source.geo.name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.region_name: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name - description: Region name. - example: Quebec - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.geo.timezone: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.ip: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip - description: IP address of the source (IPv4 or IPv6). - flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip - level: core - name: ip - normalize: [] - original_fieldset: source - short: IP address of the source. - type: ip - process.session_leader.parent.session_leader.entry_meta.source.mac: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac - description: 'MAC address of the source. - - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit - byte) is represented by two [uppercase] hexadecimal digits giving the value - of the octet as an unsigned integer. Successive octets are separated by a - hyphen.' - example: 00-00-5E-00-53-23 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac - ignore_above: 1024 - level: core - name: mac - normalize: [] - original_fieldset: source - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - short: MAC address of the source. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.nat.ip: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip - description: 'Translated ip of source based NAT sessions (e.g. internal client - to internet) - - Typically connections traversing load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip - level: extended - name: nat.ip - normalize: [] - original_fieldset: source - short: Source NAT ip - type: ip - process.session_leader.parent.session_leader.entry_meta.source.nat.port: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port - description: 'Translated port of source based NAT sessions. (e.g. internal client - to internet) - - Typically used with load balancers, firewalls, or routers.' - flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port - format: string - level: extended - name: nat.port - normalize: [] - original_fieldset: source - short: Source NAT port - type: long - process.session_leader.parent.session_leader.entry_meta.source.packets: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets - description: Packets sent from the source to the destination. - example: 12 - flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets - level: core - name: packets - normalize: [] - original_fieldset: source - short: Packets sent from the source to the destination. - type: long - process.session_leader.parent.session_leader.entry_meta.source.port: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port - description: Port of the source. - flat_name: process.session_leader.parent.session_leader.entry_meta.source.port - format: string - level: core - name: port - normalize: [] - original_fieldset: source - short: Port of the source. - type: long - process.session_leader.parent.session_leader.entry_meta.source.registered_domain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain - description: 'The highest registered source domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain - ignore_above: 1024 - level: extended - name: registered_domain - normalize: [] - original_fieldset: source - short: The highest registered source domain, stripped of the subdomain. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.subdomain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain - ignore_above: 1024 - level: extended - name: subdomain - normalize: [] - original_fieldset: source - short: The subdomain of the domain. - type: keyword - process.session_leader.parent.session_leader.entry_meta.source.top_level_domain: - dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (https://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain - ignore_above: 1024 - level: extended - name: top_level_domain - normalize: [] - original_fieldset: source - short: The effective top level domain (com, org, net, co.uk). - type: keyword - process.session_leader.parent.session_leader.entry_meta.type: - dashed_name: process-session-leader-parent-session-leader-entry-meta-type - description: 'The entry type for the entry session leader. Values include: init(e.g - systemd), sshd, ssm, kubelet, teleport, terminal, console - - Note: This field is only set on process.session_leader.' - flat_name: process.session_leader.parent.session_leader.entry_meta.type - ignore_above: 1024 - level: extended - name: entry_meta.type - normalize: [] - original_fieldset: process - short: The entry type for the entry session leader. - type: keyword - process.session_leader.parent.session_leader.env_vars: - dashed_name: process-session-leader-parent-session-leader-env-vars - description: 'Array of environment variable bindings. Captured from a snapshot - of the environment at the time of execution. - - May be filtered to protect sensitive information.' - example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' - flat_name: process.session_leader.parent.session_leader.env_vars - ignore_above: 1024 - level: extended - name: env_vars - normalize: - - array - original_fieldset: process - short: Array of environment variable bindings. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.executable: - dashed_name: process-session-leader-parent-session-leader-executable - description: Absolute path to the process executable. - example: /usr/bin/ssh - flat_name: process.session_leader.parent.session_leader.executable - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.executable.text - name: text - type: match_only_text - name: executable - normalize: [] - original_fieldset: process - short: Absolute path to the process executable. - type: keyword - process.session_leader.parent.session_leader.exit_code: - dashed_name: process-session-leader-parent-session-leader-exit-code - description: 'The exit code of the process, if this is a termination event. - - The field should be absent if there is no exit code for the event (e.g. process - start).' - example: 137 - flat_name: process.session_leader.parent.session_leader.exit_code - level: extended - name: exit_code - normalize: [] - original_fieldset: process - short: The exit code of the process. - type: long - process.session_leader.parent.session_leader.group.domain: - dashed_name: process-session-leader-parent-session-leader-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.group.id: - dashed_name: process-session-leader-parent-session-leader-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.group.name: - dashed_name: process-session-leader-parent-session-leader-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.hash.cdhash: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-hash-cdhash - description: Code directory hash, utilized to uniquely identify and authenticate - the integrity of the executable code. - example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 - flat_name: process.session_leader.parent.session_leader.hash.cdhash - ignore_above: 1024 - level: extended - name: cdhash - normalize: [] - original_fieldset: hash - short: The Code Directory (CD) hash of an executable. - type: keyword - process.session_leader.parent.session_leader.hash.md5: - dashed_name: process-session-leader-parent-session-leader-hash-md5 - description: MD5 hash. - flat_name: process.session_leader.parent.session_leader.hash.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - process.session_leader.parent.session_leader.hash.sha1: - dashed_name: process-session-leader-parent-session-leader-hash-sha1 - description: SHA1 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - process.session_leader.parent.session_leader.hash.sha256: - dashed_name: process-session-leader-parent-session-leader-hash-sha256 - description: SHA256 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - process.session_leader.parent.session_leader.hash.sha384: - dashed_name: process-session-leader-parent-session-leader-hash-sha384 - description: SHA384 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha384 - ignore_above: 1024 - level: extended - name: sha384 - normalize: [] - original_fieldset: hash - short: SHA384 hash. - type: keyword - process.session_leader.parent.session_leader.hash.sha512: - dashed_name: process-session-leader-parent-session-leader-hash-sha512 - description: SHA512 hash. - flat_name: process.session_leader.parent.session_leader.hash.sha512 - ignore_above: 1024 - level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - process.session_leader.parent.session_leader.hash.ssdeep: - dashed_name: process-session-leader-parent-session-leader-hash-ssdeep - description: SSDEEP hash. - flat_name: process.session_leader.parent.session_leader.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - process.session_leader.parent.session_leader.hash.tlsh: - dashed_name: process-session-leader-parent-session-leader-hash-tlsh - description: TLSH hash. - flat_name: process.session_leader.parent.session_leader.hash.tlsh - ignore_above: 1024 - level: extended - name: tlsh - normalize: [] - original_fieldset: hash - short: TLSH hash. - type: keyword - process.session_leader.parent.session_leader.interactive: - dashed_name: process-session-leader-parent-session-leader-interactive - description: 'Whether the process is connected to an interactive shell. - - Process interactivity is inferred from the processes file descriptors. If - the character device for the controlling tty is the same as stdin and stderr - for the process, the process is considered interactive. - - Note: A non-interactive process can belong to an interactive session and is - simply one that does not have open file descriptors reading the controlling - TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A - backgrounded process is still considered interactive if stdin and stderr are - connected to the controlling TTY.' - example: true - flat_name: process.session_leader.parent.session_leader.interactive - level: extended - name: interactive - normalize: [] - original_fieldset: process - short: Whether the process is connected to an interactive shell. - type: boolean - process.session_leader.parent.session_leader.io: - dashed_name: process-session-leader-parent-session-leader-io - description: 'A chunk of input or output (IO) from a single process. - - This field only appears on the top level process object, which is the process - that wrote the output or read the input.' - flat_name: process.session_leader.parent.session_leader.io - level: extended - name: io - normalize: [] - original_fieldset: process - short: A chunk of input or output (IO) from a single process. - type: object - process.session_leader.parent.session_leader.io.bytes_skipped: - dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped - description: An array of byte offsets and lengths denoting where IO data has - been skipped. - flat_name: process.session_leader.parent.session_leader.io.bytes_skipped - level: extended - name: io.bytes_skipped - normalize: - - array - original_fieldset: process - short: An array of byte offsets and lengths denoting where IO data has been - skipped. - type: object - process.session_leader.parent.session_leader.io.bytes_skipped.length: - dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length - description: The length of bytes skipped. - flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length - level: extended - name: io.bytes_skipped.length - normalize: [] - original_fieldset: process - short: The length of bytes skipped. - type: long - process.session_leader.parent.session_leader.io.bytes_skipped.offset: - dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset - description: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset - level: extended - name: io.bytes_skipped.offset - normalize: [] - original_fieldset: process - short: The byte offset into this event's io.text (or io.bytes in the future) - where length bytes were skipped. - type: long - process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded: - dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded - description: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded - level: extended - name: io.max_bytes_per_process_exceeded - normalize: [] - original_fieldset: process - short: If true, the process producing the output has exceeded the max_kilobytes_per_process - configuration setting. - type: boolean - process.session_leader.parent.session_leader.io.text: - dashed_name: process-session-leader-parent-session-leader-io-text - description: 'A chunk of output or input sanitized to UTF-8. - - Best efforts are made to ensure complete lines are captured in these events. - Assumptions should NOT be made that multiple lines will appear in the same - event. TTY output may contain terminal control codes such as for cursor movement, - so some string queries may not match due to terminal codes inserted between - characters of a word.' - flat_name: process.session_leader.parent.session_leader.io.text - level: extended - name: io.text - normalize: [] - original_fieldset: process - short: A chunk of output or input sanitized to UTF-8. - type: wildcard - process.session_leader.parent.session_leader.io.total_bytes_captured: - dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured - description: The total number of bytes captured in this event. - flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured - level: extended - name: io.total_bytes_captured - normalize: [] - original_fieldset: process - short: The total number of bytes captured in this event. - type: long - process.session_leader.parent.session_leader.io.total_bytes_skipped: - dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped - description: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. Implementors should strive to ensure - this value is always zero - flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped - level: extended - name: io.total_bytes_skipped - normalize: [] - original_fieldset: process - short: The total number of bytes that were not captured due to implementation - restrictions such as buffer size limits. - type: long - process.session_leader.parent.session_leader.io.type: - dashed_name: process-session-leader-parent-session-leader-io-type - description: 'The type of object on which the IO action (read or write) was - taken. - - Currently only ''tty'' is supported. Other types may be added in the future - for ''file'' and ''socket'' support.' - flat_name: process.session_leader.parent.session_leader.io.type - ignore_above: 1024 - level: extended - name: io.type - normalize: [] - original_fieldset: process - short: The type of object on which the IO action (read or write) was taken. - type: keyword - process.session_leader.parent.session_leader.macho.go_import_hash: - dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash - description: 'A hash of the Go language imports in a Mach-O file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.session_leader.macho.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: macho - short: A hash of the Go language imports in a Mach-O file. - type: keyword - process.session_leader.parent.session_leader.macho.go_imports: - dashed_name: process-session-leader-parent-session-leader-macho-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.session_leader.macho.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: macho - short: List of imported Go language element names and types. - type: flattened - process.session_leader.parent.session_leader.macho.go_imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.session_leader.macho.go_stripped: - dashed_name: process-session-leader-parent-session-leader-macho-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.session_leader.macho.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: macho - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.parent.session_leader.macho.import_hash: - dashed_name: process-session-leader-parent-session-leader-macho-import-hash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a synonym for symhash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.session_leader.macho.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.session_leader.parent.session_leader.macho.imports: - dashed_name: process-session-leader-parent-session-leader-macho-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.session_leader.macho.imports - level: extended - name: imports - normalize: - - array - original_fieldset: macho - short: List of imported element names and types. - type: flattened - process.session_leader.parent.session_leader.macho.imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.parent.session_leader.macho.imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.parent.session_leader.macho.sections: - dashed_name: process-session-leader-parent-session-leader-macho-sections - description: 'An array containing an object for each section of the Mach-O file. - - The keys that should be present in these objects are defined by sub-fields - underneath `macho.sections.*`.' - flat_name: process.session_leader.parent.session_leader.macho.sections - level: extended - name: sections - normalize: - - array - original_fieldset: macho - short: Section information of the Mach-O file. - type: nested - process.session_leader.parent.session_leader.macho.sections.entropy: - dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.macho.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: macho - short: Shannon entropy calculation from the section. - type: long - process.session_leader.parent.session_leader.macho.sections.name: - dashed_name: process-session-leader-parent-session-leader-macho-sections-name - description: Mach-O Section List name. - flat_name: process.session_leader.parent.session_leader.macho.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: macho - short: Mach-O Section List name. - type: keyword - process.session_leader.parent.session_leader.macho.sections.physical_size: - dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size - description: Mach-O Section List physical size. - flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List physical size. - type: long - process.session_leader.parent.session_leader.macho.sections.var_entropy: - dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: macho - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.parent.session_leader.macho.sections.virtual_size: - dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size - description: Mach-O Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: macho - short: Mach-O Section List virtual size. This is always the same as `physical_size`. - type: long - process.session_leader.parent.session_leader.macho.symhash: - dashed_name: process-session-leader-parent-session-leader-macho-symhash - description: 'A hash of the imports in a Mach-O file. An import hash can be - used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - This is a Mach-O implementation of the Windows PE imphash' - example: d3ccf195b62a9279c3c19af1080497ec - flat_name: process.session_leader.parent.session_leader.macho.symhash - ignore_above: 1024 - level: extended - name: symhash - normalize: [] - original_fieldset: macho - short: A hash of the imports in a Mach-O file. - type: keyword - process.session_leader.parent.session_leader.name: - dashed_name: process-session-leader-parent-session-leader-name - description: 'Process name. - - Sometimes called program name or similar.' - example: ssh - flat_name: process.session_leader.parent.session_leader.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: process - short: Process name. - type: keyword - process.session_leader.parent.session_leader.origin_referrer_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-origin-referrer-url - description: The URL of the webpage that linked to the process's executable - file. - example: http://example.com/article1.html - flat_name: process.session_leader.parent.session_leader.origin_referrer_url - ignore_above: 8192 - level: extended - name: origin_referrer_url - normalize: [] - original_fieldset: process - short: The URL of the webpage that linked to the process's executable file. - type: keyword - process.session_leader.parent.session_leader.origin_url: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-origin-url - description: The URL where the process's executable file is hosted. - example: http://example.com/files/example.exe - flat_name: process.session_leader.parent.session_leader.origin_url - ignore_above: 8192 - level: extended - name: origin_url - normalize: [] - original_fieldset: process - short: The URL where the process's executable file is hosted. - type: keyword - process.session_leader.parent.session_leader.pe.architecture: - dashed_name: process-session-leader-parent-session-leader-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: process.session_leader.parent.session_leader.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - process.session_leader.parent.session_leader.pe.company: - dashed_name: process-session-leader-parent-session-leader-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: process.session_leader.parent.session_leader.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.session_leader.parent.session_leader.pe.description: - dashed_name: process-session-leader-parent-session-leader-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.session_leader.parent.session_leader.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.session_leader.parent.session_leader.pe.file_version: - dashed_name: process-session-leader-parent-session-leader-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.session_leader.parent.session_leader.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.session_leader.parent.session_leader.pe.go_import_hash: - dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash - description: 'A hash of the Go language imports in a PE file excluding standard - library imports. An import hash can be used to fingerprint binaries even after - recompilation or other code-level transformations have occurred, which would - change more traditional hash values. - - The algorithm used to calculate the Go symbol hash and a reference implementation - are available here: https://github.com/elastic/toutoumomoma' - example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.parent.session_leader.pe.go_import_hash - ignore_above: 1024 - level: extended - name: go_import_hash - normalize: [] - original_fieldset: pe - short: A hash of the Go language imports in a PE file. - type: keyword - process.session_leader.parent.session_leader.pe.go_imports: - dashed_name: process-session-leader-parent-session-leader-pe-go-imports - description: List of imported Go language element names and types. - flat_name: process.session_leader.parent.session_leader.pe.go_imports - level: extended - name: go_imports - normalize: [] - original_fieldset: pe - short: List of imported Go language element names and types. - type: flattened - process.session_leader.parent.session_leader.pe.go_imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy - description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy - format: number - level: extended - name: go_imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy - format: number - level: extended - name: go_imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of Go imports. - type: long - process.session_leader.parent.session_leader.pe.go_stripped: - dashed_name: process-session-leader-parent-session-leader-pe-go-stripped - description: Set to true if the file is a Go executable that has had its symbols - stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.parent.session_leader.pe.go_stripped - level: extended - name: go_stripped - normalize: [] - original_fieldset: pe - short: Whether the file is a stripped or obfuscated Go executable. - type: boolean - process.session_leader.parent.session_leader.pe.imphash: - dashed_name: process-session-leader-parent-session-leader-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.session_leader.parent.session_leader.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.session_leader.parent.session_leader.pe.import_hash: - dashed_name: process-session-leader-parent-session-leader-pe-import-hash - description: 'A hash of the imports in a PE file. An import hash can be used - to fingerprint binaries even after recompilation or other code-level transformations - have occurred, which would change more traditional hash values. - - This is a synonym for imphash.' - example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.parent.session_leader.pe.import_hash - ignore_above: 1024 - level: extended - name: import_hash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.session_leader.parent.session_leader.pe.imports: - dashed_name: process-session-leader-parent-session-leader-pe-imports - description: List of imported element names and types. - flat_name: process.session_leader.parent.session_leader.pe.imports - level: extended - name: imports - normalize: - - array - original_fieldset: pe - short: List of imported element names and types. - type: flattened - process.session_leader.parent.session_leader.pe.imports_names_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy - description: Shannon entropy calculation from the list of imported element names - and types. - flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy - format: number - level: extended - name: imports_names_entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the list of imported element names and - types. - type: long - process.session_leader.parent.session_leader.pe.imports_names_var_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy - description: Variance for Shannon entropy calculation from the list of imported - element names and types. - flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy - format: number - level: extended - name: imports_names_var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the list of imported element - names and types. - type: long - process.session_leader.parent.session_leader.pe.original_file_name: - dashed_name: process-session-leader-parent-session-leader-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.session_leader.parent.session_leader.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.session_leader.parent.session_leader.pe.pehash: - dashed_name: process-session-leader-parent-session-leader-pe-pehash - description: 'A hash of the PE header and data from one or more PE sections. - An pehash can be used to cluster files by transforming structural information - about a file into a hash value. - - Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' - example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.session_leader.parent.session_leader.pe.pehash - ignore_above: 1024 - level: extended - name: pehash - normalize: [] - original_fieldset: pe - short: A hash of the PE header and data from one or more PE sections. - type: keyword - process.session_leader.parent.session_leader.pe.product: - dashed_name: process-session-leader-parent-session-leader-pe-product - description: Internal product name of the file, provided at compile-time. - example: Microsoft® Windows® Operating System - flat_name: process.session_leader.parent.session_leader.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.session_leader.parent.session_leader.pe.sections: - dashed_name: process-session-leader-parent-session-leader-pe-sections - description: 'An array containing an object for each section of the PE file. - - The keys that should be present in these objects are defined by sub-fields - underneath `pe.sections.*`.' - flat_name: process.session_leader.parent.session_leader.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Section information of the PE file. - type: nested - process.session_leader.parent.session_leader.pe.sections.entropy: - dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.pe.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Shannon entropy calculation from the section. - type: long - process.session_leader.parent.session_leader.pe.sections.name: - dashed_name: process-session-leader-parent-session-leader-pe-sections-name - description: PE Section List name. - flat_name: process.session_leader.parent.session_leader.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: PE Section List name. - type: keyword - process.session_leader.parent.session_leader.pe.sections.physical_size: - dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size - description: PE Section List physical size. - flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: pe - short: PE Section List physical size. - type: long - process.session_leader.parent.session_leader.pe.sections.var_entropy: - dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy - description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy - format: number - level: extended - name: sections.var_entropy - normalize: [] - original_fieldset: pe - short: Variance for Shannon entropy calculation from the section. - type: long - process.session_leader.parent.session_leader.pe.sections.virtual_size: - dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size - description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.session_leader.parent.session_leader.pid: - dashed_name: process-session-leader-parent-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.parent.session_leader.pid - format: string - level: core - name: pid - normalize: [] - original_fieldset: process - short: Process id. - type: long - process.session_leader.parent.session_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.session_leader.parent.session_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.session_leader.parent.session_leader.real_group.domain: - dashed_name: process-session-leader-parent-session-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.real_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.real_group.id: - dashed_name: process-session-leader-parent-session-leader-real-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.real_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.real_group.name: - dashed_name: process-session-leader-parent-session-leader-real-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.real_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.real_user.domain: - dashed_name: process-session-leader-parent-session-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.real_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.session_leader.real_user.email: - dashed_name: process-session-leader-parent-session-leader-real-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.real_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.session_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.session_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.id: - dashed_name: process-session-leader-parent-session-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.session_leader.real_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.session_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.session_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.session_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.real_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.session_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.session_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.real_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.session_leader.real_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.session_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.real_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.session_leader.real_user.full_name: - dashed_name: process-session-leader-parent-session-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.real_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.session_leader.real_user.group.domain: - dashed_name: process-session-leader-parent-session-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.real_user.group.id: - dashed_name: process-session-leader-parent-session-leader-real-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.real_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.real_user.group.name: - dashed_name: process-session-leader-parent-session-leader-real-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.real_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.real_user.hash: - dashed_name: process-session-leader-parent-session-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.session_leader.real_user.id: - dashed_name: process-session-leader-parent-session-leader-real-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.real_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.session_leader.real_user.name: - dashed_name: process-session-leader-parent-session-leader-real-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.real_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.real_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.session_leader.real_user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.session_leader.real_user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.session_leader.real_user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.session_leader.real_user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.session_leader.real_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.session_leader.real_user.roles: - dashed_name: process-session-leader-parent-session-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.same_as_process: - dashed_name: process-session-leader-parent-session-leader-same-as-process - description: 'This boolean is used to identify if a leader process is the same - as the top level process. - - For example, if `process.group_leader.same_as_process = true`, it means the - process event in question is the leader of its process group. Details under - `process.*` like `pid` would be the same under `process.group_leader.*` The - same applies for both `process.session_leader` and `process.entry_leader`. - - This field exists to the benefit of EQL and other rule engines since it''s - not possible to compare equality between two fields in a single document. - e.g `process.entity_id` = `process.group_leader.entity_id` (top level process - is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` - (top level process is the entry session leader) - - Instead these rules could be written like: `process.group_leader.same_as_process: - true` OR `process.entry_leader.same_as_process: true` - - Note: This field is only set on `process.entry_leader`, `process.session_leader` - and `process.group_leader`.' - example: true - flat_name: process.session_leader.parent.session_leader.same_as_process - level: extended - name: same_as_process - normalize: [] - original_fieldset: process - short: This boolean is used to identify if a leader process is the same as the - top level process. - type: boolean - process.session_leader.parent.session_leader.saved_group.domain: - dashed_name: process-session-leader-parent-session-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.saved_group.id: - dashed_name: process-session-leader-parent-session-leader-saved-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.saved_group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.saved_group.name: - dashed_name: process-session-leader-parent-session-leader-saved-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.saved_user.domain: - dashed_name: process-session-leader-parent-session-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.session_leader.saved_user.email: - dashed_name: process-session-leader-parent-session-leader-saved-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.session_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.session_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.id: - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.session_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.session_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.session_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.session_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.session_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.session_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.session_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.session_leader.saved_user.full_name: - dashed_name: process-session-leader-parent-session-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.session_leader.saved_user.group.domain: - dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.saved_user.group.id: - dashed_name: process-session-leader-parent-session-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.saved_user.group.name: - dashed_name: process-session-leader-parent-session-leader-saved-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.saved_user.hash: - dashed_name: process-session-leader-parent-session-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.session_leader.saved_user.id: - dashed_name: process-session-leader-parent-session-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.session_leader.saved_user.name: - dashed_name: process-session-leader-parent-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.session_leader.saved_user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.session_leader.saved_user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.session_leader.saved_user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.session_leader.saved_user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.session_leader.saved_user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.session_leader.saved_user.roles: - dashed_name: process-session-leader-parent-session-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.saved_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.start: - dashed_name: process-session-leader-parent-session-leader-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.session_leader.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.session_leader.parent.session_leader.supplemental_groups.domain: - dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.supplemental_groups.id: - dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.supplemental_groups.name: - dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.thread.capabilities.effective: - dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.thread.capabilities.permitted: - dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.thread.id: - dashed_name: process-session-leader-parent-session-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.session_leader.parent.session_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.session_leader.parent.session_leader.thread.name: - dashed_name: process-session-leader-parent-session-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.session_leader.parent.session_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.session_leader.parent.session_leader.title: - dashed_name: process-session-leader-parent-session-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.session_leader.parent.session_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.session_leader.parent.session_leader.tty: - dashed_name: process-session-leader-parent-session-leader-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.session_leader.parent.session_leader.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.session_leader.parent.session_leader.tty.char_device.major: - dashed_name: process-session-leader-parent-session-leader-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.session_leader.parent.session_leader.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.session_leader.parent.session_leader.tty.char_device.minor: - dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.session_leader.parent.session_leader.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.session_leader.parent.session_leader.tty.columns: - dashed_name: process-session-leader-parent-session-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.session_leader.parent.session_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.session_leader.parent.session_leader.tty.rows: - dashed_name: process-session-leader-parent-session-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.session_leader.parent.session_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.session_leader.parent.session_leader.uptime: - dashed_name: process-session-leader-parent-session-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.session_leader.parent.session_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.session_leader.parent.session_leader.user.domain: - dashed_name: process-session-leader-parent-session-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.session_leader.user.email: - dashed_name: process-session-leader-parent-session-leader-user-email - description: User email address. - flat_name: process.session_leader.parent.session_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.session_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.session_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.session_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.session_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.session_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.session_leader.user.entity.id: - dashed_name: process-session-leader-parent-session-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.session_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.session_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.session_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.session_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.session_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.session_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.session_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.session_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.session_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.session_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.session_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.session_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.session_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.session_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.session_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.session_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-session-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.session_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.session_leader.user.full_name: - dashed_name: process-session-leader-parent-session-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.session_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.session_leader.user.group.domain: - dashed_name: process-session-leader-parent-session-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.session_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.session_leader.user.group.id: - dashed_name: process-session-leader-parent-session-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.session_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.session_leader.user.group.name: - dashed_name: process-session-leader-parent-session-leader-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.session_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.session_leader.user.hash: - dashed_name: process-session-leader-parent-session-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.session_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.session_leader.user.id: - dashed_name: process-session-leader-parent-session-leader-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.session_leader.user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.parent.session_leader.user.name: - dashed_name: process-session-leader-parent-session-leader-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.parent.session_leader.user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.session_leader.user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.parent.session_leader.user.risk.calculated_level: - dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.session_leader.user.risk.calculated_score: - dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.session_leader.user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.session_leader.user.risk.static_level: - dashed_name: process-session-leader-parent-session-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.session_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.session_leader.user.risk.static_score: - dashed_name: process-session-leader-parent-session-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.session_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.session_leader.user.risk.static_score_norm: - dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.session_leader.user.roles: - dashed_name: process-session-leader-parent-session-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.session_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.session_leader.vpid: - dashed_name: process-session-leader-parent-session-leader-vpid - description: 'Virtual process id. - - The process id within a pid namespace. This is not necessarily unique across - all processes on the host but it is unique within the process namespace that - the process exists within.' - example: 4242 - flat_name: process.session_leader.parent.session_leader.vpid - format: string - level: core - name: vpid - normalize: [] - original_fieldset: process - short: Virtual process id. - type: long - process.session_leader.parent.session_leader.working_directory: - dashed_name: process-session-leader-parent-session-leader-working-directory - description: The working directory of the process. - example: /home/alice - flat_name: process.session_leader.parent.session_leader.working_directory - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.session_leader.working_directory.text - name: text - type: match_only_text - name: working_directory - normalize: [] - original_fieldset: process - short: The working directory of the process. - type: keyword - process.session_leader.parent.start: - dashed_name: process-session-leader-parent-start - description: The time the process started. - example: '2016-05-23T08:05:34.853Z' - flat_name: process.session_leader.parent.start - level: extended - name: start - normalize: [] - original_fieldset: process - short: The time the process started. - type: date - process.session_leader.parent.supplemental_groups.domain: - dashed_name: process-session-leader-parent-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.supplemental_groups.id: - dashed_name: process-session-leader-parent-supplemental-groups-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.supplemental_groups.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.supplemental_groups.name: - dashed_name: process-session-leader-parent-supplemental-groups-name - description: Name of the group. - flat_name: process.session_leader.parent.supplemental_groups.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.thread.capabilities.effective: - dashed_name: process-session-leader-parent-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.thread.capabilities.permitted: - dashed_name: process-session-leader-parent-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.parent.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.thread.id: - dashed_name: process-session-leader-parent-thread-id - description: Thread ID. - example: 4242 - flat_name: process.session_leader.parent.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.session_leader.parent.thread.name: - dashed_name: process-session-leader-parent-thread-name - description: Thread name. - example: thread-0 - flat_name: process.session_leader.parent.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.session_leader.parent.title: - dashed_name: process-session-leader-parent-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.session_leader.parent.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword - process.session_leader.parent.tty: - dashed_name: process-session-leader-parent-tty - description: Information about the controlling TTY device. If set, the process - belongs to an interactive session. - flat_name: process.session_leader.parent.tty - level: extended - name: tty - normalize: [] - original_fieldset: process - short: Information about the controlling TTY device. - type: object - process.session_leader.parent.tty.char_device.major: - dashed_name: process-session-leader-parent-tty-char-device-major - description: The major number identifies the driver associated with the device. - The character device's major and minor numbers can be algorithmically combined - to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". - For more details, please refer to the Linux kernel documentation. - example: 4 - flat_name: process.session_leader.parent.tty.char_device.major - level: extended - name: tty.char_device.major - normalize: [] - original_fieldset: process - short: The TTY character device's major number. - type: long - process.session_leader.parent.tty.char_device.minor: - dashed_name: process-session-leader-parent-tty-char-device-minor - description: The minor number is used only by the driver specified by the major - number; other parts of the kernel don’t use it, and merely pass it along to - the driver. It is common for a driver to control several devices; the minor - number provides a way for the driver to differentiate among them. - example: 1 - flat_name: process.session_leader.parent.tty.char_device.minor - level: extended - name: tty.char_device.minor - normalize: [] - original_fieldset: process - short: The TTY character device's minor number. - type: long - process.session_leader.parent.tty.columns: - dashed_name: process-session-leader-parent-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.session_leader.parent.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.session_leader.parent.tty.rows: - dashed_name: process-session-leader-parent-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.session_leader.parent.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.session_leader.parent.uptime: - dashed_name: process-session-leader-parent-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.session_leader.parent.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.session_leader.parent.user.domain: - dashed_name: process-session-leader-parent-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.parent.user.email: - dashed_name: process-session-leader-parent-user-email - description: User email address. - flat_name: process.session_leader.parent.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.parent.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.parent.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.parent.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.parent.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.parent.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.parent.user.entity.id: - dashed_name: process-session-leader-parent-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.parent.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.parent.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.parent.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.parent.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.parent.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.parent.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.parent.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.parent.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.parent.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.parent.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.parent.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.parent.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.parent.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.parent.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.parent.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.parent.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.parent.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.parent.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.parent.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-parent-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.parent.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.parent.user.full_name: - dashed_name: process-session-leader-parent-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.parent.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.parent.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.parent.user.group.domain: - dashed_name: process-session-leader-parent-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.parent.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.parent.user.group.id: - dashed_name: process-session-leader-parent-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.parent.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.parent.user.group.name: - dashed_name: process-session-leader-parent-user-group-name - description: Name of the group. - flat_name: process.session_leader.parent.user.group.name - ignore_above: 1024 + original_fieldset: process + short: The TTY character device's major number. + type: long + process.parent.tty.char_device.minor: + dashed_name: process-parent-tty-char-device-minor + description: The minor number is used only by the driver specified by the major + number; other parts of the kernel don’t use it, and merely pass it along to + the driver. It is common for a driver to control several devices; the minor + number provides a way for the driver to differentiate among them. + example: 1 + flat_name: process.parent.tty.char_device.minor level: extended - name: name + name: tty.char_device.minor normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.parent.user.hash: - dashed_name: process-session-leader-parent-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.parent.user.hash - ignore_above: 1024 + original_fieldset: process + short: The TTY character device's minor number. + type: long + process.parent.uptime: + dashed_name: process-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.uptime level: extended - name: hash + name: uptime normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.parent.user.id: - dashed_name: process-session-leader-parent-user-id + original_fieldset: process + short: Seconds the process has been up. + type: long + process.parent.user.id: + dashed_name: process-parent-user-id description: Unique identifier of the user. example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.parent.user.id + flat_name: process.parent.user.id ignore_above: 1024 level: core name: id @@ -60409,15 +16615,15 @@ process: original_fieldset: user short: Unique identifier of the user. type: keyword - process.session_leader.parent.user.name: - dashed_name: process-session-leader-parent-user-name + process.parent.user.name: + dashed_name: process-parent-user-name description: Short name or login of the user. example: a.einstein - flat_name: process.session_leader.parent.user.name + flat_name: process.parent.user.name ignore_above: 1024 level: core multi_fields: - - flat_name: process.session_leader.parent.user.name.text + - flat_name: process.parent.user.name.text name: text type: match_only_text name: name @@ -60425,109 +16631,15 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.session_leader.parent.user.risk.calculated_level: - dashed_name: process-session-leader-parent-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.parent.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.parent.user.risk.calculated_score: - dashed_name: process-session-leader-parent-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.parent.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.parent.user.risk.calculated_score_norm: - dashed_name: process-session-leader-parent-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.parent.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.parent.user.risk.static_level: - dashed_name: process-session-leader-parent-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.parent.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.parent.user.risk.static_score: - dashed_name: process-session-leader-parent-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.parent.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.parent.user.risk.static_score_norm: - dashed_name: process-session-leader-parent-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.parent.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.parent.user.roles: - dashed_name: process-session-leader-parent-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.parent.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword - process.session_leader.parent.vpid: - dashed_name: process-session-leader-parent-vpid + process.parent.vpid: + dashed_name: process-parent-vpid description: 'Virtual process id. The process id within a pid namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.' example: 4242 - flat_name: process.session_leader.parent.vpid + flat_name: process.parent.vpid format: string level: core name: vpid @@ -60535,15 +16647,15 @@ process: original_fieldset: process short: Virtual process id. type: long - process.session_leader.parent.working_directory: - dashed_name: process-session-leader-parent-working-directory + process.parent.working_directory: + dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice - flat_name: process.session_leader.parent.working_directory + flat_name: process.parent.working_directory ignore_above: 1024 level: extended multi_fields: - - flat_name: process.session_leader.parent.working_directory.text + - flat_name: process.parent.working_directory.text name: text type: match_only_text name: working_directory @@ -60551,11 +16663,11 @@ process: original_fieldset: process short: The working directory of the process. type: keyword - process.session_leader.pe.architecture: - dashed_name: process-session-leader-pe-architecture + process.pe.architecture: + dashed_name: process-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: process.session_leader.pe.architecture + flat_name: process.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -60563,11 +16675,11 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword - process.session_leader.pe.company: - dashed_name: process-session-leader-pe-company + process.pe.company: + dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: process.session_leader.pe.company + flat_name: process.pe.company ignore_above: 1024 level: extended name: company @@ -60575,11 +16687,11 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - process.session_leader.pe.description: - dashed_name: process-session-leader-pe-description + process.pe.description: + dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: process.session_leader.pe.description + flat_name: process.pe.description ignore_above: 1024 level: extended name: description @@ -60587,11 +16699,11 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - process.session_leader.pe.file_version: - dashed_name: process-session-leader-pe-file-version + process.pe.file_version: + dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: process.session_leader.pe.file_version + flat_name: process.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -60599,8 +16711,8 @@ process: original_fieldset: pe short: Process name. type: keyword - process.session_leader.pe.go_import_hash: - dashed_name: process-session-leader-pe-go-import-hash + process.pe.go_import_hash: + dashed_name: process-pe-go-import-hash description: 'A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would @@ -60609,7 +16721,7 @@ process: The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma' example: 10bddcb4cee42080f76c88d9ff964491 - flat_name: process.session_leader.pe.go_import_hash + flat_name: process.pe.go_import_hash ignore_above: 1024 level: extended name: go_import_hash @@ -60617,20 +16729,20 @@ process: original_fieldset: pe short: A hash of the Go language imports in a PE file. type: keyword - process.session_leader.pe.go_imports: - dashed_name: process-session-leader-pe-go-imports + process.pe.go_imports: + dashed_name: process-pe-go-imports description: List of imported Go language element names and types. - flat_name: process.session_leader.pe.go_imports + flat_name: process.pe.go_imports level: extended name: go_imports normalize: [] original_fieldset: pe short: List of imported Go language element names and types. type: flattened - process.session_leader.pe.go_imports_names_entropy: - dashed_name: process-session-leader-pe-go-imports-names-entropy + process.pe.go_imports_names_entropy: + dashed_name: process-pe-go-imports-names-entropy description: Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.pe.go_imports_names_entropy + flat_name: process.pe.go_imports_names_entropy format: number level: extended name: go_imports_names_entropy @@ -60638,10 +16750,10 @@ process: original_fieldset: pe short: Shannon entropy calculation from the list of Go imports. type: long - process.session_leader.pe.go_imports_names_var_entropy: - dashed_name: process-session-leader-pe-go-imports-names-var-entropy + process.pe.go_imports_names_var_entropy: + dashed_name: process-pe-go-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of Go imports. - flat_name: process.session_leader.pe.go_imports_names_var_entropy + flat_name: process.pe.go_imports_names_var_entropy format: number level: extended name: go_imports_names_var_entropy @@ -60649,26 +16761,26 @@ process: original_fieldset: pe short: Variance for Shannon entropy calculation from the list of Go imports. type: long - process.session_leader.pe.go_stripped: - dashed_name: process-session-leader-pe-go-stripped + process.pe.go_stripped: + dashed_name: process-pe-go-stripped description: Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. - flat_name: process.session_leader.pe.go_stripped + flat_name: process.pe.go_stripped level: extended name: go_stripped normalize: [] original_fieldset: pe short: Whether the file is a stripped or obfuscated Go executable. type: boolean - process.session_leader.pe.imphash: - dashed_name: process-session-leader-pe-imphash + process.pe.imphash: + dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.session_leader.pe.imphash + flat_name: process.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -60676,15 +16788,15 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.session_leader.pe.import_hash: - dashed_name: process-session-leader-pe-import-hash + process.pe.import_hash: + dashed_name: process-pe-import-hash description: 'A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.' example: d41d8cd98f00b204e9800998ecf8427e - flat_name: process.session_leader.pe.import_hash + flat_name: process.pe.import_hash ignore_above: 1024 level: extended name: import_hash @@ -60692,10 +16804,10 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.session_leader.pe.imports: - dashed_name: process-session-leader-pe-imports + process.pe.imports: + dashed_name: process-pe-imports description: List of imported element names and types. - flat_name: process.session_leader.pe.imports + flat_name: process.pe.imports level: extended name: imports normalize: @@ -60703,11 +16815,11 @@ process: original_fieldset: pe short: List of imported element names and types. type: flattened - process.session_leader.pe.imports_names_entropy: - dashed_name: process-session-leader-pe-imports-names-entropy + process.pe.imports_names_entropy: + dashed_name: process-pe-imports-names-entropy description: Shannon entropy calculation from the list of imported element names and types. - flat_name: process.session_leader.pe.imports_names_entropy + flat_name: process.pe.imports_names_entropy format: number level: extended name: imports_names_entropy @@ -60716,11 +16828,11 @@ process: short: Shannon entropy calculation from the list of imported element names and types. type: long - process.session_leader.pe.imports_names_var_entropy: - dashed_name: process-session-leader-pe-imports-names-var-entropy + process.pe.imports_names_var_entropy: + dashed_name: process-pe-imports-names-var-entropy description: Variance for Shannon entropy calculation from the list of imported element names and types. - flat_name: process.session_leader.pe.imports_names_var_entropy + flat_name: process.pe.imports_names_var_entropy format: number level: extended name: imports_names_var_entropy @@ -60729,11 +16841,11 @@ process: short: Variance for Shannon entropy calculation from the list of imported element names and types. type: long - process.session_leader.pe.original_file_name: - dashed_name: process-session-leader-pe-original-file-name + process.pe.original_file_name: + dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: process.session_leader.pe.original_file_name + flat_name: process.pe.original_file_name ignore_above: 1024 level: extended name: original_file_name @@ -60741,15 +16853,15 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - process.session_leader.pe.pehash: - dashed_name: process-session-leader-pe-pehash + process.pe.pehash: + dashed_name: process-pe-pehash description: 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.' example: 73ff189b63cd6be375a7ff25179a38d347651975 - flat_name: process.session_leader.pe.pehash + flat_name: process.pe.pehash ignore_above: 1024 level: extended name: pehash @@ -60757,11 +16869,11 @@ process: original_fieldset: pe short: A hash of the PE header and data from one or more PE sections. type: keyword - process.session_leader.pe.product: - dashed_name: process-session-leader-pe-product + process.pe.product: + dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. example: Microsoft® Windows® Operating System - flat_name: process.session_leader.pe.product + flat_name: process.pe.product ignore_above: 1024 level: extended name: product @@ -60769,13 +16881,13 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - process.session_leader.pe.sections: - dashed_name: process-session-leader-pe-sections + process.pe.sections: + dashed_name: process-pe-sections description: 'An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`.' - flat_name: process.session_leader.pe.sections + flat_name: process.pe.sections level: extended name: sections normalize: @@ -60783,10 +16895,10 @@ process: original_fieldset: pe short: Section information of the PE file. type: nested - process.session_leader.pe.sections.entropy: - dashed_name: process-session-leader-pe-sections-entropy + process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy description: Shannon entropy calculation from the section. - flat_name: process.session_leader.pe.sections.entropy + flat_name: process.pe.sections.entropy format: number level: extended name: sections.entropy @@ -60794,10 +16906,10 @@ process: original_fieldset: pe short: Shannon entropy calculation from the section. type: long - process.session_leader.pe.sections.name: - dashed_name: process-session-leader-pe-sections-name + process.pe.sections.name: + dashed_name: process-pe-sections-name description: PE Section List name. - flat_name: process.session_leader.pe.sections.name + flat_name: process.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -60805,10 +16917,10 @@ process: original_fieldset: pe short: PE Section List name. type: keyword - process.session_leader.pe.sections.physical_size: - dashed_name: process-session-leader-pe-sections-physical-size + process.pe.sections.physical_size: + dashed_name: process-pe-sections-physical-size description: PE Section List physical size. - flat_name: process.session_leader.pe.sections.physical_size + flat_name: process.pe.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -60816,10 +16928,10 @@ process: original_fieldset: pe short: PE Section List physical size. type: long - process.session_leader.pe.sections.var_entropy: - dashed_name: process-session-leader-pe-sections-var-entropy + process.pe.sections.var_entropy: + dashed_name: process-pe-sections-var-entropy description: Variance for Shannon entropy calculation from the section. - flat_name: process.session_leader.pe.sections.var_entropy + flat_name: process.pe.sections.var_entropy format: number level: extended name: sections.var_entropy @@ -60827,61 +16939,138 @@ process: original_fieldset: pe short: Variance for Shannon entropy calculation from the section. type: long - process.session_leader.pe.sections.virtual_size: - dashed_name: process-session-leader-pe-sections-virtual-size + process.pe.sections.virtual_size: + dashed_name: process-pe-sections-virtual-size description: PE Section List virtual size. This is always the same as `physical_size`. - flat_name: process.session_leader.pe.sections.virtual_size + flat_name: process.pe.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: pe + short: PE Section List virtual size. This is always the same as `physical_size`. + type: long + process.pid: + dashed_name: process-pid + description: Process id. + example: 4242 + flat_name: process.pid format: string + level: core + name: pid + normalize: [] + otel: + - relation: match + stability: development + short: Process id. + type: long + process.previous.args: + dashed_name: process-previous-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.previous.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.previous.args_count: + dashed_name: process-previous-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.previous.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.previous.executable: + dashed_name: process-previous-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.previous.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: process.previous.executable.text + name: text + type: match_only_text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword + process.real_group.id: + dashed_name: process-real-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.real_group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + process.real_group.name: + dashed_name: process-real-group-name + description: Name of the group. + flat_name: process.real_group.name + ignore_above: 1024 level: extended - name: sections.virtual_size + name: name normalize: [] - original_fieldset: pe - short: PE Section List virtual size. This is always the same as `physical_size`. - type: long - process.session_leader.pid: - dashed_name: process-session-leader-pid - description: Process id. - example: 4242 - flat_name: process.session_leader.pid - format: string + original_fieldset: group + short: Name of the group. + type: keyword + process.real_user.id: + dashed_name: process-real-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.real_user.id + ignore_above: 1024 level: core - name: pid + name: id normalize: [] - original_fieldset: process + original_fieldset: user otel: - relation: match - short: Process id. - type: long - process.session_leader.platform_binary: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-platform-binary - description: Binaries that are shipped by the operating system are defined as - platform binaries, this value is then set to true. - flat_name: process.session_leader.platform_binary - level: extended - name: platform_binary - normalize: [] - original_fieldset: process - short: Indicates whether this process executable is a default platform binary - shipped with the operating system. - type: boolean - process.session_leader.real_group.domain: - dashed_name: process-session-leader-real-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.real_group.domain + stability: development + short: Unique identifier of the user. + type: keyword + process.real_user.name: + dashed_name: process-real-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.real_user.name ignore_above: 1024 - level: extended - name: domain + level: core + multi_fields: + - flat_name: process.real_user.name.text + name: text + type: match_only_text + name: name normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. + original_fieldset: user + otel: + - relation: match + stability: development + short: Short name or login of the user. type: keyword - process.session_leader.real_group.id: - dashed_name: process-session-leader-real-group-id + process.saved_group.id: + dashed_name: process-saved-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.real_group.id + flat_name: process.saved_group.id ignore_above: 1024 level: extended name: id @@ -60889,10 +17078,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.session_leader.real_group.name: - dashed_name: process-session-leader-real-group-name + process.saved_group.name: + dashed_name: process-saved-group-name description: Name of the group. - flat_name: process.session_leader.real_group.name + flat_name: process.saved_group.name ignore_above: 1024 level: extended name: name @@ -60900,325 +17089,323 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.session_leader.real_user.domain: - dashed_name: process-session-leader-real-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.real_user.domain + process.saved_user.id: + dashed_name: process-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.saved_user.id ignore_above: 1024 - level: extended - name: domain + level: core + name: id normalize: [] original_fieldset: user - short: Name of the directory the user is a member of. + otel: + - relation: match + stability: development + short: Unique identifier of the user. type: keyword - process.session_leader.real_user.email: - dashed_name: process-session-leader-real-user-email - description: User email address. - flat_name: process.session_leader.real_user.email + process.saved_user.name: + dashed_name: process-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.saved_user.name ignore_above: 1024 - level: extended - name: email + level: core + multi_fields: + - flat_name: process.saved_user.name.text + name: text + type: match_only_text + name: name normalize: [] original_fieldset: user - short: User email address. + otel: + - relation: match + stability: development + short: Short name or login of the user. type: keyword - process.session_leader.real_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.real_user.entity.attributes + process.session_leader.args: + dashed_name: process-session-leader-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.session_leader.args + ignore_above: 1024 level: extended - name: attributes + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.session_leader.args_count: + dashed_name: process-session-leader-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.session_leader.args_count + level: extended + name: args_count normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.real_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.real_user.entity.behavior + original_fieldset: process + short: Length of the process.args array. + type: long + process.session_leader.command_line: + dashed_name: process-session-leader-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.session_leader.command_line level: extended - name: behavior + multi_fields: + - flat_name: process.session_leader.command_line.text + name: text + type: match_only_text + name: command_line normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.real_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.real_user.entity.display_name + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.session_leader.entity_id: + dashed_name: process-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.session_leader.executable: + dashed_name: process-session-leader-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.session_leader.executable ignore_above: 1024 level: extended multi_fields: - - flat_name: process.session_leader.real_user.entity.display_name.text + - flat_name: process.session_leader.executable.text name: text type: match_only_text - name: display_name + name: executable normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. + original_fieldset: process + short: Absolute path to the process executable. type: keyword - process.session_leader.real_user.entity.id: - dashed_name: process-session-leader-real-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.real_user.entity.id + process.session_leader.group.id: + dashed_name: process-session-leader-group-id + description: Unique identifier for the group on the system/platform. + flat_name: process.session_leader.group.id ignore_above: 1024 - level: core + level: extended name: id normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. + original_fieldset: group + short: Unique identifier for the group on the system/platform. type: keyword - process.session_leader.real_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.real_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.real_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.real_user.entity.lifecycle + process.session_leader.group.name: + dashed_name: process-session-leader-group-name + description: Name of the group. + flat_name: process.session_leader.group.name + ignore_above: 1024 level: extended - name: lifecycle + name: name normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.real_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.real_user.entity.metrics + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.interactive: + dashed_name: process-session-leader-interactive + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + flat_name: process.session_leader.interactive level: extended - name: metrics + name: interactive normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.real_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.real_user.entity.name + original_fieldset: process + short: Whether the process is connected to an interactive shell. + type: boolean + process.session_leader.name: + dashed_name: process-session-leader-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.session_leader.name ignore_above: 1024 - level: core + level: extended multi_fields: - - flat_name: process.session_leader.real_user.entity.name.text + - flat_name: process.session_leader.name.text name: text type: match_only_text name: name normalize: [] - original_fieldset: entity - short: The name of the entity. + original_fieldset: process + short: Process name. type: keyword - process.session_leader.real_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.real_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.real_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.real_user.entity.reference + process.session_leader.parent.entity_id: + dashed_name: process-session-leader-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.entity_id ignore_above: 1024 level: extended - name: reference + name: entity_id normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. + original_fieldset: process + short: Unique identifier for the process. type: keyword - process.session_leader.real_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.real_user.entity.source - ignore_above: 1024 + process.session_leader.parent.pid: + dashed_name: process-session-leader-parent-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.pid + format: string level: core - name: source + name: pid normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.real_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.real_user.entity.sub_type + original_fieldset: process + short: Process id. + type: long + process.session_leader.parent.session_leader.entity_id: + dashed_name: process-session-leader-parent-session-leader-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.session_leader.parent.session_leader.entity_id ignore_above: 1024 level: extended - name: sub_type + name: entity_id normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. + original_fieldset: process + short: Unique identifier for the process. type: keyword - process.session_leader.real_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-real-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.real_user.entity.type - ignore_above: 1024 + process.session_leader.parent.session_leader.pid: + dashed_name: process-session-leader-parent-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.parent.session_leader.pid + format: string level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.real_user.full_name: - dashed_name: process-session-leader-real-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.real_user.full_name - ignore_above: 1024 + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.session_leader.parent.session_leader.start: + dashed_name: process-session-leader-parent-session-leader-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.session_leader.start level: extended - multi_fields: - - flat_name: process.session_leader.real_user.full_name.text - name: text - type: match_only_text - name: full_name + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.session_leader.parent.session_leader.vpid: + dashed_name: process-session-leader-parent-session-leader-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.session_leader.parent.session_leader.vpid + format: string + level: core + name: vpid + normalize: [] + original_fieldset: process + short: Virtual process id. + type: long + process.session_leader.parent.start: + dashed_name: process-session-leader-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.session_leader.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.session_leader.parent.vpid: + dashed_name: process-session-leader-parent-vpid + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + flat_name: process.session_leader.parent.vpid + format: string + level: core + name: vpid normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.real_user.group.domain: - dashed_name: process-session-leader-real-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.real_user.group.domain - ignore_above: 1024 - level: extended - name: domain + original_fieldset: process + short: Virtual process id. + type: long + process.session_leader.pid: + dashed_name: process-session-leader-pid + description: Process id. + example: 4242 + flat_name: process.session_leader.pid + format: string + level: core + name: pid normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.real_user.group.id: - dashed_name: process-session-leader-real-user-group-id + original_fieldset: process + otel: + - relation: match + stability: development + short: Process id. + type: long + process.session_leader.real_group.id: + dashed_name: process-session-leader-real-group-id description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.real_user.group.id + flat_name: process.session_leader.real_group.id ignore_above: 1024 level: extended name: id @@ -61226,10 +17413,10 @@ process: original_fieldset: group short: Unique identifier for the group on the system/platform. type: keyword - process.session_leader.real_user.group.name: - dashed_name: process-session-leader-real-user-group-name + process.session_leader.real_group.name: + dashed_name: process-session-leader-real-group-name description: Name of the group. - flat_name: process.session_leader.real_user.group.name + flat_name: process.session_leader.real_group.name ignore_above: 1024 level: extended name: name @@ -61237,21 +17424,6 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.session_leader.real_user.hash: - dashed_name: process-session-leader-real-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.real_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword process.session_leader.real_user.id: dashed_name: process-session-leader-real-user-id description: Unique identifier of the user. @@ -61280,100 +17452,6 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.session_leader.real_user.risk.calculated_level: - dashed_name: process-session-leader-real-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.real_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.real_user.risk.calculated_score: - dashed_name: process-session-leader-real-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.real_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.real_user.risk.calculated_score_norm: - dashed_name: process-session-leader-real-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.real_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.real_user.risk.static_level: - dashed_name: process-session-leader-real-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.real_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.real_user.risk.static_score: - dashed_name: process-session-leader-real-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.real_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.real_user.risk.static_score_norm: - dashed_name: process-session-leader-real-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.real_user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.real_user.roles: - dashed_name: process-session-leader-real-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.real_user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.session_leader.same_as_process: dashed_name: process-session-leader-same-as-process description: 'This boolean is used to identify if a leader process is the same @@ -61404,19 +17482,6 @@ process: short: This boolean is used to identify if a leader process is the same as the top level process. type: boolean - process.session_leader.saved_group.domain: - dashed_name: process-session-leader-saved-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.saved_group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword process.session_leader.saved_group.id: dashed_name: process-session-leader-saved-group-id description: Unique identifier for the group on the system/platform. @@ -61432,486 +17497,40 @@ process: dashed_name: process-session-leader-saved-group-name description: Name of the group. flat_name: process.session_leader.saved_group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.saved_user.domain: - dashed_name: process-session-leader-saved-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.saved_user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.saved_user.email: - dashed_name: process-session-leader-saved-user-email - description: User email address. - flat_name: process.session_leader.saved_user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.saved_user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.saved_user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.saved_user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.saved_user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.saved_user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.saved_user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.saved_user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.saved_user.entity.id: - dashed_name: process-session-leader-saved-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.saved_user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.saved_user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.saved_user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.saved_user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.saved_user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.saved_user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.saved_user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.saved_user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.saved_user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.saved_user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.saved_user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.saved_user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.saved_user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.saved_user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.saved_user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.saved_user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.saved_user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.saved_user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.saved_user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-saved-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.saved_user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.saved_user.full_name: - dashed_name: process-session-leader-saved-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.saved_user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.saved_user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.saved_user.group.domain: - dashed_name: process-session-leader-saved-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.saved_user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.saved_user.group.id: - dashed_name: process-session-leader-saved-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.saved_user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.saved_user.group.name: - dashed_name: process-session-leader-saved-user-group-name - description: Name of the group. - flat_name: process.session_leader.saved_user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.saved_user.hash: - dashed_name: process-session-leader-saved-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.saved_user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword - process.session_leader.saved_user.id: - dashed_name: process-session-leader-saved-user-id - description: Unique identifier of the user. - example: S-1-5-21-202424912787-2692429404-2351956786-1000 - flat_name: process.session_leader.saved_user.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: user - short: Unique identifier of the user. - type: keyword - process.session_leader.saved_user.name: - dashed_name: process-session-leader-saved-user-name - description: Short name or login of the user. - example: a.einstein - flat_name: process.session_leader.saved_user.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.saved_user.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: user - short: Short name or login of the user. - type: keyword - process.session_leader.saved_user.risk.calculated_level: - dashed_name: process-session-leader-saved-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.saved_user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.saved_user.risk.calculated_score: - dashed_name: process-session-leader-saved-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.saved_user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.saved_user.risk.calculated_score_norm: - dashed_name: process-session-leader-saved-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.saved_user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.saved_user.risk.static_level: - dashed_name: process-session-leader-saved-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.saved_user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.saved_user.risk.static_score: - dashed_name: process-session-leader-saved-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.saved_user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.saved_user.risk.static_score_norm: - dashed_name: process-session-leader-saved-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.saved_user.risk.static_score_norm + ignore_above: 1024 level: extended - name: static_score_norm + name: name normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.saved_user.roles: - dashed_name: process-session-leader-saved-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.saved_user.roles + original_fieldset: group + short: Name of the group. + type: keyword + process.session_leader.saved_user.id: + dashed_name: process-session-leader-saved-user-id + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + flat_name: process.session_leader.saved_user.id ignore_above: 1024 - level: extended - name: roles - normalize: - - array + level: core + name: id + normalize: [] original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none + short: Unique identifier of the user. + type: keyword + process.session_leader.saved_user.name: + dashed_name: process-session-leader-saved-user-name + description: Short name or login of the user. + example: a.einstein + flat_name: process.session_leader.saved_user.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: process.session_leader.saved_user.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. type: keyword process.session_leader.start: dashed_name: process-session-leader-start @@ -61924,19 +17543,6 @@ process: original_fieldset: process short: The time the process started. type: date - process.session_leader.supplemental_groups.domain: - dashed_name: process-session-leader-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword process.session_leader.supplemental_groups.id: dashed_name: process-session-leader-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -61959,80 +17565,6 @@ process: original_fieldset: group short: Name of the group. type: keyword - process.session_leader.thread.capabilities.effective: - dashed_name: process-session-leader-thread-capabilities-effective - description: This is the set of capabilities used by the kernel to perform permission - checks for the thread. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.thread.capabilities.effective - ignore_above: 1024 - level: extended - name: thread.capabilities.effective - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities used for permission checks. - synthetic_source_keep: none - type: keyword - process.session_leader.thread.capabilities.permitted: - dashed_name: process-session-leader-thread-capabilities-permitted - description: This is a limiting superset for the effective capabilities that - the thread may assume. - example: '["CAP_BPF", "CAP_SYS_ADMIN"]' - flat_name: process.session_leader.thread.capabilities.permitted - ignore_above: 1024 - level: extended - name: thread.capabilities.permitted - normalize: - - array - original_fieldset: process - pattern: ^(CAP_[A-Z_]+|\d+)$ - short: Array of capabilities a thread could assume. - synthetic_source_keep: none - type: keyword - process.session_leader.thread.id: - dashed_name: process-session-leader-thread-id - description: Thread ID. - example: 4242 - flat_name: process.session_leader.thread.id - format: string - level: extended - name: thread.id - normalize: [] - original_fieldset: process - short: Thread ID. - type: long - process.session_leader.thread.name: - dashed_name: process-session-leader-thread-name - description: Thread name. - example: thread-0 - flat_name: process.session_leader.thread.name - ignore_above: 1024 - level: extended - name: thread.name - normalize: [] - original_fieldset: process - short: Thread name. - type: keyword - process.session_leader.title: - dashed_name: process-session-leader-title - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: - for example a browser setting its title to the web page currently opened.' - flat_name: process.session_leader.title - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.title.text - name: text - type: match_only_text - name: title - normalize: [] - original_fieldset: process - short: Process title. - type: keyword process.session_leader.tty: dashed_name: process-session-leader-tty description: Information about the controlling TTY device. If set, the process @@ -62072,397 +17604,6 @@ process: original_fieldset: process short: The TTY character device's minor number. type: long - process.session_leader.tty.columns: - dashed_name: process-session-leader-tty-columns - description: 'The number of character columns per line. e.g terminal width - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 80 - flat_name: process.session_leader.tty.columns - level: extended - name: tty.columns - normalize: [] - original_fieldset: process - short: The number of character columns per line. e.g terminal width - type: long - process.session_leader.tty.rows: - dashed_name: process-session-leader-tty-rows - description: 'The number of character rows in the terminal. e.g terminal height - - Terminal sizes can change, so this value reflects the maximum value for a - given IO event. i.e. where event.action = ''text_output''' - example: 24 - flat_name: process.session_leader.tty.rows - level: extended - name: tty.rows - normalize: [] - original_fieldset: process - short: The number of character rows in the terminal. e.g terminal height - type: long - process.session_leader.uptime: - dashed_name: process-session-leader-uptime - description: Seconds the process has been up. - example: 1325 - flat_name: process.session_leader.uptime - level: extended - name: uptime - normalize: [] - original_fieldset: process - short: Seconds the process has been up. - type: long - process.session_leader.user.domain: - dashed_name: process-session-leader-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.session_leader.user.email: - dashed_name: process-session-leader-user-email - description: User email address. - flat_name: process.session_leader.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.session_leader.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.session_leader.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.session_leader.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.session_leader.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.session_leader.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.session_leader.user.entity.id: - dashed_name: process-session-leader-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.session_leader.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.session_leader.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.session_leader.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.session_leader.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.session_leader.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.session_leader.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.session_leader.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.session_leader.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.session_leader.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.session_leader.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.session_leader.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.session_leader.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.session_leader.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.session_leader.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.session_leader.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.session_leader.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.session_leader.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.session_leader.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.session_leader.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-session-leader-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.session_leader.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.session_leader.user.full_name: - dashed_name: process-session-leader-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.session_leader.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.session_leader.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.session_leader.user.group.domain: - dashed_name: process-session-leader-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.session_leader.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.session_leader.user.group.id: - dashed_name: process-session-leader-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.session_leader.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.session_leader.user.group.name: - dashed_name: process-session-leader-user-group-name - description: Name of the group. - flat_name: process.session_leader.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.session_leader.user.hash: - dashed_name: process-session-leader-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.session_leader.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword process.session_leader.user.id: dashed_name: process-session-leader-user-id description: Unique identifier of the user. @@ -62491,100 +17632,6 @@ process: original_fieldset: user short: Short name or login of the user. type: keyword - process.session_leader.user.risk.calculated_level: - dashed_name: process-session-leader-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.session_leader.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.session_leader.user.risk.calculated_score: - dashed_name: process-session-leader-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.session_leader.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.session_leader.user.risk.calculated_score_norm: - dashed_name: process-session-leader-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.session_leader.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.session_leader.user.risk.static_level: - dashed_name: process-session-leader-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.session_leader.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.session_leader.user.risk.static_score: - dashed_name: process-session-leader-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.session_leader.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.session_leader.user.risk.static_score_norm: - dashed_name: process-session-leader-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.session_leader.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.session_leader.user.roles: - dashed_name: process-session-leader-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.session_leader.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.session_leader.vpid: dashed_name: process-session-leader-vpid description: 'Virtual process id. @@ -62627,19 +17674,6 @@ process: normalize: [] short: The time the process started. type: date - process.supplemental_groups.domain: - dashed_name: process-supplemental-groups-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.supplemental_groups.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword process.supplemental_groups.id: dashed_name: process-supplemental-groups-id description: Unique identifier for the group on the system/platform. @@ -62731,6 +17765,7 @@ process: normalize: [] otel: - relation: match + stability: development short: Process title. type: keyword process.tty: @@ -62806,360 +17841,9 @@ process: otel: - metric: process.uptime relation: metric + stability: development short: Seconds the process has been up. type: long - process.user.domain: - dashed_name: process-user-domain - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.user.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: user - short: Name of the directory the user is a member of. - type: keyword - process.user.email: - dashed_name: process-user-email - description: User email address. - flat_name: process.user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - original_fieldset: user - short: User email address. - type: keyword - process.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: process.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - process.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: process.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - process.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: process.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - process.user.entity.id: - dashed_name: process-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: process.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - process.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: process.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - process.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: process.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - process.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: process.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - process.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: process.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: process.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - process.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: process.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - process.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: process.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - process.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: process.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - process.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: process-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: process.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - process.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: process-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: process.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword - process.user.full_name: - dashed_name: process-user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: process.user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: process.user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - original_fieldset: user - short: User's full name, if available. - type: keyword - process.user.group.domain: - dashed_name: process-user-group-domain - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - flat_name: process.user.group.domain - ignore_above: 1024 - level: extended - name: domain - normalize: [] - original_fieldset: group - short: Name of the directory the group is a member of. - type: keyword - process.user.group.id: - dashed_name: process-user-group-id - description: Unique identifier for the group on the system/platform. - flat_name: process.user.group.id - ignore_above: 1024 - level: extended - name: id - normalize: [] - original_fieldset: group - short: Unique identifier for the group on the system/platform. - type: keyword - process.user.group.name: - dashed_name: process-user-group-name - description: Name of the group. - flat_name: process.user.group.name - ignore_above: 1024 - level: extended - name: name - normalize: [] - original_fieldset: group - short: Name of the group. - type: keyword - process.user.hash: - dashed_name: process-user-hash - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - flat_name: process.user.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: user - short: Unique user hash to correlate information for a user in anonymized form. - type: keyword process.user.id: dashed_name: process-user-id description: Unique identifier of the user. @@ -63172,6 +17856,7 @@ process: original_fieldset: user otel: - relation: match + stability: development short: Unique identifier of the user. type: keyword process.user.name: @@ -63190,102 +17875,9 @@ process: original_fieldset: user otel: - relation: match + stability: development short: Short name or login of the user. type: keyword - process.user.risk.calculated_level: - dashed_name: process-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: process.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - process.user.risk.calculated_score: - dashed_name: process-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: process.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - process.user.risk.calculated_score_norm: - dashed_name: process-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: process.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - process.user.risk.static_level: - dashed_name: process-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: process.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - process.user.risk.static_score: - dashed_name: process-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: process.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - process.user.risk.static_score_norm: - dashed_name: process-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: process.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float - process.user.roles: - dashed_name: process-user-roles - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - flat_name: process.user.roles - ignore_above: 1024 - level: extended - name: roles - normalize: - - array - original_fieldset: user - short: Array of user roles at the time of the event. - synthetic_source_keep: none - type: keyword process.vpid: dashed_name: process-vpid description: 'Virtual process id. @@ -63301,6 +17893,7 @@ process: normalize: [] otel: - relation: match + stability: development short: Virtual process id. type: long process.working_directory: @@ -63318,6 +17911,7 @@ process: normalize: [] otel: - relation: match + stability: development short: The working directory of the process. type: keyword group: 2 @@ -63961,6 +18555,7 @@ server: normalize: [] otel: - relation: match + stability: stable short: Server network address. type: keyword server.as.number: @@ -64228,6 +18823,7 @@ server: normalize: [] otel: - relation: match + stability: stable short: Port of the server. type: long server.registered_domain: @@ -64306,268 +18902,6 @@ server: original_fieldset: user short: User email address. type: keyword - server.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: server.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - server.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: server.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - server.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: server.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: server.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - server.user.entity.id: - dashed_name: server-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: server.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - server.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: server.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - server.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: server.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - server.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: server.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - server.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: server.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: server.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - server.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: server.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - server.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: server.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - server.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: server.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - server.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: server-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: server.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - server.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: server-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: server.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword server.user.full_name: dashed_name: server-user-full-name description: User's full name, if available. @@ -64662,86 +18996,6 @@ server: original_fieldset: user short: Short name or login of the user. type: keyword - server.user.risk.calculated_level: - dashed_name: server-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: server.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - server.user.risk.calculated_score: - dashed_name: server-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: server.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - server.user.risk.calculated_score_norm: - dashed_name: server-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: server.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - server.user.risk.static_level: - dashed_name: server-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: server.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - server.user.risk.static_score: - dashed_name: server-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: server.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - server.user.risk.static_score_norm: - dashed_name: server-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: server.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -65075,6 +19329,7 @@ service: otel: - attribute: deployment.environment.name relation: equivalent + stability: development short: Environment of the service. type: keyword service.ephemeral_id: @@ -65128,6 +19383,7 @@ service: normalize: [] otel: - relation: match + stability: stable short: Name of the service. type: keyword service.node.name: @@ -65153,6 +19409,7 @@ service: otel: - attribute: service.instance.id relation: equivalent + stability: development short: Name of the service node. type: keyword service.node.role: @@ -66171,6 +20428,7 @@ service: normalize: [] otel: - relation: match + stability: stable short: Version of the service. type: keyword footnote: The service fields may be self-nested under service.origin.* and service.target.* @@ -66246,6 +20504,7 @@ source: normalize: [] otel: - relation: match + stability: development short: Source network address. type: keyword source.as.number: @@ -66513,6 +20772,7 @@ source: normalize: [] otel: - relation: match + stability: development short: Port of the source. type: long source.registered_domain: @@ -66591,268 +20851,6 @@ source: original_fieldset: user short: User email address. type: keyword - source.user.entity.attributes: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-attributes - description: A set of static or semi-static attributes of the entity. Usually - boolean or keyword field data types. Use this field set when you need to track - static or semi-static characteristics of an entity for advanced searching - and correlation of normalized values across different providers/sources and - entity types. - flat_name: source.user.entity.attributes - level: extended - name: attributes - normalize: [] - original_fieldset: entity - short: A set of static or semi-static attributes of the entity. - type: object - source.user.entity.behavior: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-behavior - description: A set of ephemeral characteristics of the entity, derived from - observed behaviors during a specific time period. Usually boolean field data - type. Use this field set when you need to capture and track ephemeral characteristics - of an entity for advanced searching, correlation of normalized values across - different providers/sources and entity types. - flat_name: source.user.entity.behavior - level: extended - name: behavior - normalize: [] - original_fieldset: entity - short: A set of ephemeral characteristics of the entity, derived from observed - behaviors during a specific time period. - type: object - source.user.entity.display_name: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-display-name - description: An optional field used when a pretty name is desired for entity-centric - operations. This field should not be used for correlation with `*.name` fields - for entities with dedicated field sets (e.g., `host`). - flat_name: source.user.entity.display_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: source.user.entity.display_name.text - name: text - type: match_only_text - name: display_name - normalize: [] - original_fieldset: entity - short: An optional field used when a pretty name is desired for entity-centric - operations. - type: keyword - source.user.entity.id: - dashed_name: source-user-entity-id - description: 'A unique identifier for the entity. When multiple identifiers - exist, this should be the most stable and commonly used identifier that: 1) - persists across the entity''s lifecycle, 2) ensures uniqueness within its - scope, 3) is commonly used for queries and correlation, and 4) is readily - available in most observations (logs/events). For entities with dedicated - field sets (e.g., host, user), this value should match the corresponding *.id - field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved - in the raw field.' - flat_name: source.user.entity.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: entity - short: Unique identifier for the entity. - type: keyword - source.user.entity.last_seen_timestamp: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-last-seen-timestamp - description: Indicates the date/time when this entity was last "seen," usually - based upon the last event/log that is initiated by this entity. - flat_name: source.user.entity.last_seen_timestamp - level: extended - name: last_seen_timestamp - normalize: [] - original_fieldset: entity - short: Indicates the date/time when this entity was last "seen." - type: date - source.user.entity.lifecycle: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-lifecycle - description: A set of temporal characteristics of the entity. Usually date field - data type. Use this field set when you need to track temporal characteristics - of an entity for advanced searching and correlation of normalized values across - different providers/sources and entity types. - flat_name: source.user.entity.lifecycle - level: extended - name: lifecycle - normalize: [] - original_fieldset: entity - short: A set of temporal characteristics of the entity. - type: object - source.user.entity.metrics: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-metrics - description: Field set for any fields containing numeric entity metrics. These - use dynamic field data type mapping. - flat_name: source.user.entity.metrics - level: extended - name: metrics - normalize: [] - original_fieldset: entity - short: Field set for any fields containing numeric entity metrics. - type: object - source.user.entity.name: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-name - description: The name of the entity. The keyword field enables exact matches - for filtering and aggregations, while the text field enables full-text search. - For entities with dedicated field sets (e.g., `host`), this field should mirrors - the corresponding *.name value. - flat_name: source.user.entity.name - ignore_above: 1024 - level: core - multi_fields: - - flat_name: source.user.entity.name.text - name: text - type: match_only_text - name: name - normalize: [] - original_fieldset: entity - short: The name of the entity. - type: keyword - source.user.entity.raw: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-raw - description: Original, unmodified fields from the source system. Usually flattened - field data type. While the attributes field should be used for normalized - fields requiring advanced queries, this field preserves all source metadata - with basic search capabilities. - flat_name: source.user.entity.raw - level: extended - name: raw - normalize: [] - original_fieldset: entity - short: Original, unmodified fields from the source system. - type: object - source.user.entity.reference: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-reference - description: A URI, URL, or other direct reference to access or locate the entity - in its source system. This could be an API endpoint, web console URL, or other - addressable location. Format may vary by entity type and source system. - flat_name: source.user.entity.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: entity - short: A URI, URL, or other direct reference to access or locate the entity. - type: keyword - source.user.entity.source: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-source - description: The module or integration that provided this entity data (similar - to event.module). - flat_name: source.user.entity.source - ignore_above: 1024 - level: core - name: source - normalize: [] - original_fieldset: entity - short: Source module or integration that provided the entity data. - type: keyword - source.user.entity.sub_type: - beta: This field is beta and subject to change. - dashed_name: source-user-entity-sub-type - description: 'The specific type designation for the entity as defined by its - provider or system. This field provides more granular classification than - the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` - would all map to entity type `bucket`. `hardware` , `virtual` , `container` - , `node` , `cloud_instance` would all map to entity type `host`.' - example: aws_s3_bucket - flat_name: source.user.entity.sub_type - ignore_above: 1024 - level: extended - name: sub_type - normalize: [] - original_fieldset: entity - short: The specific type designation for the entity as defined by its provider - or system. - type: keyword - source.user.entity.type: - allowed_values: - - description: Represents a storage container or bucket, typically used for - object storage. Common examples include AWS S3 buckets, Google Cloud Storage - buckets, Azure Blob containers, and other cloud storage services. Buckets - are used to organize and store files, objects, or data in cloud environments. - name: bucket - - description: Represents a database system or database instance. This includes - relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, - Cassandra, DynamoDB), time-series databases, and other data storage systems. - The entity may represent the entire database system or a specific database - instance. - name: database - - description: Represents a containerized application or process. This includes - Docker containers, Kubernetes pods, and other containerization technologies. - Containers encapsulate applications and their dependencies, providing isolation - and portability across different environments. - name: container - - description: Represents a serverless function or Function-as-a-Service (FaaS) - component. This includes AWS Lambda functions, Azure Functions, Google Cloud - Functions, and other serverless computing resources. Functions are typically - event-driven and execute code without managing the underlying infrastructure. - name: function - - description: Represents a message queue or messaging system. This includes - message brokers, event queues, and other messaging infrastructure components - such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues - facilitate asynchronous communication between applications and services. - name: queue - - description: Represents a computing host or machine. This includes physical - servers, virtual machines, cloud instances, and other computing resources - that can run applications or services. Hosts provide the fundamental computing - infrastructure for other entity types. - name: host - - description: Represents a user account or identity. This includes human users, - service accounts, system accounts, and other identity entities that can - interact with systems, applications, or services. Users may have various - roles, permissions, and attributes associated with their identity. - name: user - - description: Represents a software application or service. This includes web - applications, mobile applications, desktop applications, and other software - components that provide functionality to users or other systems. Applications - may run on various infrastructure components and can span multiple hosts - or containers. - name: application - - description: Represents a service or microservice component. This includes - web services, APIs, background services, and other service-oriented architecture - components. Services provide specific functionality and may communicate - with other services to fulfill business requirements. - name: service - - description: Represents a user session or connection session. This includes - user login sessions, database connections, network sessions, and other temporary - interactive or persistent connections between users, applications, or systems. - name: session - - description: Represents a cloud or infrastructure. This includes cloud providers - and their services (such as AWS EC2), and is used to identify or correlate - resources, entities, and activities across accounts or multi-cloud environments. - name: cloud - - description: Represents an orchestration system or orchestrator component. - This includes container orchestrators like Kubernetes, Docker Swarm, and - other systems responsible for automating the deployment, management, scaling, - and networking of containers or workloads. - name: orchestrator - beta: This field is beta and subject to change. - dashed_name: source-user-entity-type - description: 'A standardized high-level classification of the entity. This provides - a normalized way to group similar entities across different providers or systems. - Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' - example: host - flat_name: source.user.entity.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: entity - short: Standardized high-level classification of the entity. - type: keyword source.user.full_name: dashed_name: source-user-full-name description: User's full name, if available. @@ -66947,86 +20945,6 @@ source: original_fieldset: user short: Short name or login of the user. type: keyword - source.user.risk.calculated_level: - dashed_name: source-user-risk-calculated-level - description: A risk classification level calculated by an internal system as - part of entity analytics and entity risk scoring. - example: High - flat_name: source.user.risk.calculated_level - ignore_above: 1024 - level: extended - name: calculated_level - normalize: [] - original_fieldset: risk - short: A risk classification level calculated by an internal system as part - of entity analytics and entity risk scoring. - type: keyword - source.user.risk.calculated_score: - dashed_name: source-user-risk-calculated-score - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring. - example: 880.73 - flat_name: source.user.risk.calculated_score - level: extended - name: calculated_score - normalize: [] - original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring. - type: float - source.user.risk.calculated_score_norm: - dashed_name: source-user-risk-calculated-score-norm - description: A risk classification score calculated by an internal system as - part of entity analytics and entity risk scoring, and normalized to a range - of 0 to 100. - example: 88.73 - flat_name: source.user.risk.calculated_score_norm - level: extended - name: calculated_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an internal system. - type: float - source.user.risk.static_level: - dashed_name: source-user-risk-static-level - description: A risk classification level obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: High - flat_name: source.user.risk.static_level - ignore_above: 1024 - level: extended - name: static_level - normalize: [] - original_fieldset: risk - short: A risk classification level obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: keyword - source.user.risk.static_score: - dashed_name: source-user-risk-static-score - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform. - example: 830.0 - flat_name: source.user.risk.static_score - level: extended - name: static_score - normalize: [] - original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform. - type: float - source.user.risk.static_score_norm: - dashed_name: source-user-risk-static-score-norm - description: A risk classification score obtained from outside the system, such - as from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. - example: 83.0 - flat_name: source.user.risk.static_score_norm - level: extended - name: static_score_norm - normalize: [] - original_fieldset: risk - short: A normalized risk score calculated by an external system. - type: float source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -72810,6 +26728,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: String indicating the cipher used during the current connection. type: keyword tls.client.certificate: @@ -72825,6 +26744,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: PEM-encoded stand-alone certificate offered by the client. type: keyword tls.client.certificate_chain: @@ -72841,6 +26761,7 @@ tls: - array otel: - relation: match + stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the client. type: keyword @@ -72857,6 +26778,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -72873,6 +26795,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -72889,6 +26812,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. type: keyword @@ -72904,6 +26828,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword @@ -72919,6 +26844,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword tls.client.not_after: @@ -72932,6 +26858,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Date/Time indicating when client certificate is no longer considered valid. type: date @@ -72946,6 +26873,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Date/Time indicating when client certificate is first considered valid. type: date tls.client.server_name: @@ -72973,6 +26901,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Distinguished name of subject of the x.509 certificate presented by the client. type: keyword @@ -72989,6 +26918,7 @@ tls: - array otel: - relation: match + stability: development short: Array of ciphers offered by the client during the client hello. type: keyword tls.client.x509.alternative_names: @@ -73308,6 +27238,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: String indicating the curve used for the given cipher, when applicable. type: keyword tls.established: @@ -73320,6 +27251,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean @@ -73336,6 +27268,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: String indicating the protocol being tunneled. type: keyword tls.resumed: @@ -73348,6 +27281,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean @@ -73364,6 +27298,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: PEM-encoded stand-alone certificate offered by the server. type: keyword tls.server.certificate_chain: @@ -73380,6 +27315,7 @@ tls: - array otel: - relation: match + stability: development short: Array of PEM-encoded certificates that make up the certificate chain offered by the server. type: keyword @@ -73396,6 +27332,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -73412,6 +27349,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -73428,6 +27366,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. type: keyword @@ -73443,6 +27382,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Subject of the issuer of the x.509 certificate presented by the server. type: keyword tls.server.ja3s: @@ -73457,6 +27397,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword tls.server.not_after: @@ -73470,6 +27411,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Timestamp indicating when server certificate is no longer considered valid. type: date @@ -73484,6 +27426,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: @@ -73497,6 +27440,7 @@ tls: normalize: [] otel: - relation: match + stability: development short: Subject of the x.509 certificate presented by the server. type: keyword tls.server.x509.alternative_names: @@ -73934,6 +27878,7 @@ url: normalize: [] otel: - relation: match + stability: development short: Domain of the url. type: keyword url.extension: @@ -73956,6 +27901,7 @@ url: normalize: [] otel: - relation: match + stability: development short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: @@ -73970,6 +27916,7 @@ url: normalize: [] otel: - relation: match + stability: stable short: Portion of the url after the `#`. type: keyword url.full: @@ -73988,6 +27935,7 @@ url: normalize: [] otel: - relation: match + stability: stable short: Full unparsed URL. type: wildcard url.original: @@ -74009,6 +27957,7 @@ url: normalize: [] otel: - relation: match + stability: development short: Unmodified original url as seen in the event source. type: wildcard url.password: @@ -74030,6 +27979,7 @@ url: normalize: [] otel: - relation: match + stability: stable short: Path of the request, such as "/search". type: wildcard url.port: @@ -74043,6 +27993,7 @@ url: normalize: [] otel: - relation: match + stability: development short: Port of the request, such as 443. type: long url.query: @@ -74061,6 +28012,7 @@ url: normalize: [] otel: - relation: match + stability: stable short: Query string of the request. type: keyword url.registered_domain: @@ -74080,6 +28032,7 @@ url: normalize: [] otel: - relation: match + stability: development short: The highest registered url domain, stripped of the subdomain. type: keyword url.scheme: @@ -74095,6 +28048,7 @@ url: normalize: [] otel: - relation: match + stability: stable short: Scheme of the url. type: keyword url.subdomain: @@ -74115,6 +28069,7 @@ url: normalize: [] otel: - relation: match + stability: development short: The subdomain of the domain. type: keyword url.top_level_domain: @@ -74134,6 +28089,7 @@ url: normalize: [] otel: - relation: match + stability: development short: The effective top level domain (com, org, net, co.uk). type: keyword url.username: @@ -75138,6 +29094,7 @@ user: normalize: [] otel: - relation: match + stability: development short: User email address. type: keyword user.entity.attributes: @@ -75417,6 +29374,7 @@ user: normalize: [] otel: - relation: match + stability: development short: User's full name, if available. type: keyword user.group.domain: @@ -75468,6 +29426,7 @@ user: normalize: [] otel: - relation: match + stability: development short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: @@ -75481,6 +29440,7 @@ user: normalize: [] otel: - relation: match + stability: development short: Unique identifier of the user. type: keyword user.name: @@ -75498,6 +29458,7 @@ user: normalize: [] otel: - relation: match + stability: development short: Short name or login of the user. type: keyword user.risk.calculated_level: @@ -75592,6 +29553,7 @@ user: - array otel: - relation: match + stability: development short: Array of user roles at the time of the event. synthetic_source_keep: none type: keyword @@ -76173,6 +30135,7 @@ user_agent: normalize: [] otel: - relation: match + stability: development short: Name of the user agent. type: keyword user_agent.original: @@ -76191,6 +30154,7 @@ user_agent: normalize: [] otel: - relation: match + stability: stable short: Unparsed user_agent string. type: keyword user_agent.os.family: @@ -76309,6 +30273,7 @@ user_agent: normalize: [] otel: - relation: match + stability: development short: Version of the user agent. type: keyword group: 2 From fc03bfa8af64232b81dca25f7eea1dcf7c5a81f1 Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Wed, 12 Nov 2025 15:20:15 +0200 Subject: [PATCH 5/7] addressing CR --- docs/reference/ecs-entity.md | 6 +- experimental/generated/beats/fields.ecs.yml | 304 +++++++++- experimental/generated/csv/fields.csv | 30 + experimental/generated/ecs/ecs_flat.yml | 553 +++++++++++++++++- experimental/generated/ecs/ecs_nested.yml | 58 +- .../composable/component/entity.json | 132 +++++ .../elasticsearch/composable/template.json | 1 + .../elasticsearch/legacy/template.json | 120 ++++ generated/beats/fields.ecs.yml | 304 +++++++++- generated/csv/fields.csv | 30 + generated/ecs/ecs_flat.yml | 553 +++++++++++++++++- generated/ecs/ecs_nested.yml | 58 +- .../composable/component/entity.json | 132 +++++ .../elasticsearch/composable/template.json | 1 + generated/elasticsearch/legacy/template.json | 120 ++++ schemas/entity.yml | 3 +- 16 files changed, 2324 insertions(+), 81 deletions(-) create mode 100644 experimental/generated/elasticsearch/composable/component/entity.json create mode 100644 generated/elasticsearch/composable/component/entity.json diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index bbc6cd7115..a5f97f2193 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -27,7 +27,7 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | -| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | +| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, its type array should include the matching value — for example, `host` or `cloud`.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | ## Field reuse [_field_reuse] @@ -40,7 +40,9 @@ The `entity` fields are expected to be nested at: * `service.entity` * `user.entity` -Note also that the `entity` fields are not expected to be used directly at the root of the events. +Note also that the `entity` fields may be used directly at the root of the events. + + ### Field sets that can be nested under Entity [ecs-entity-nestings] | Location | Field Set | Description | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 32677d7b88..b07d5ba055 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -625,7 +625,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: instance.id @@ -787,7 +789,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: origin.instance.id @@ -1038,7 +1042,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: target.instance.id @@ -2422,6 +2428,262 @@ original email message. example: Spambot v2.5 default_field: false + - name: entity + title: Entity + group: 2 + description: The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those that + don't have dedicated field sets in ECS. An entity represents a discrete, identifiable + component that can be described by a set of attributes and maintains its identity + over time. + footnote: The entity fields may be self-nested under entity.target.* to describe + the target entity in the context of an action or event. The fieldset entity.target.* + must not be confused with the root entity fieldset that is used to describe + the primary entity under observation. The fieldset entity.target.* may only + be used to describe the targeted entity of an action taken. + type: group + default_field: true + fields: + - name: attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: target.behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: target.last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: target.lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: target.raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: target.reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: target.source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: target.sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' + example: host + default_field: false + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' + example: host + default_field: false - name: error title: Error group: 2 @@ -4268,7 +4530,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: geo.city_name @@ -5443,7 +5707,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: namespace @@ -9391,7 +9657,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: environment @@ -9621,7 +9889,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: origin.environment @@ -9888,7 +10158,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: target.environment @@ -14572,7 +14844,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: changes.full_name @@ -14821,7 +15095,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: effective.full_name @@ -15054,7 +15330,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: full_name @@ -15291,7 +15569,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: target.full_name diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index f34638850d..9758f073ac 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -290,6 +290,36 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.3.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. 9.3.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient 9.3.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.3.0-dev+exp,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev+exp,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev+exp,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,entity,entity.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev+exp,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev+exp,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev+exp,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev+exp,true,entity,entity.name,keyword,core,,,The name of the entity. +9.3.0-dev+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity. +9.3.0-dev+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev+exp,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev+exp,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev+exp,true,entity,entity.target.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,entity,entity.target.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,entity,entity.target.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev+exp,true,entity,entity.target.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev+exp,true,entity,entity.target.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev+exp,true,entity,entity.target.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev+exp,true,entity,entity.target.name,keyword,core,,,The name of the entity. +9.3.0-dev+exp,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity. +9.3.0-dev+exp,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev+exp,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev+exp,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev+exp,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev+exp,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity. +9.3.0-dev+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.3.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. 9.3.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. 9.3.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5ae8d81b9f..08235ae013 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -943,7 +943,9 @@ cloud.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1274,7 +1276,9 @@ cloud.origin.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1751,7 +1755,9 @@ cloud.target.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -3929,6 +3935,511 @@ email.x_mailer: normalize: [] short: Application that drafted email. type: keyword +entity.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: entity.attributes + level: extended + name: attributes + normalize: [] + short: A set of static or semi-static attributes of the entity. + type: object +entity.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: entity.behavior + level: extended + name: behavior + normalize: [] + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +entity.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +entity.id: + dashed_name: entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the entity. + type: keyword +entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + short: Indicates the date/time when this entity was last "seen." + type: date +entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.lifecycle + level: extended + name: lifecycle + normalize: [] + short: A set of temporal characteristics of the entity. + type: object +entity.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: entity.metrics + level: extended + name: metrics + normalize: [] + short: Field set for any fields containing numeric entity metrics. + type: object +entity.name: + beta: This field is beta and subject to change. + dashed_name: entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + short: The name of the entity. + type: keyword +entity.raw: + beta: This field is beta and subject to change. + dashed_name: entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: entity.raw + level: extended + name: raw + normalize: [] + short: Original, unmodified fields from the source system. + type: object +entity.reference: + beta: This field is beta and subject to change. + dashed_name: entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +entity.source: + beta: This field is beta and subject to change. + dashed_name: entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + short: Source module or integration that provided the entity data. + type: keyword +entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +entity.target.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-target-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: entity.target.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +entity.target.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-target-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: entity.target.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +entity.target.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-target-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.target.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.target.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +entity.target.id: + dashed_name: entity-target-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: entity.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +entity.target.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-target-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: entity.target.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +entity.target.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-target-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +entity.target.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-target-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: entity.target.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +entity.target.name: + beta: This field is beta and subject to change. + dashed_name: entity-target-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: entity.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.target.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +entity.target.raw: + beta: This field is beta and subject to change. + dashed_name: entity-target-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: entity.target.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +entity.target.reference: + beta: This field is beta and subject to change. + dashed_name: entity-target-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.target.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +entity.target.source: + beta: This field is beta and subject to change. + dashed_name: entity-target-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: entity.target.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +entity.target.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-target-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.target.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +entity.target.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: entity-target-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: entity.target.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Standardized high-level classification of the entity. + type: keyword error.code: dashed_name: error-code description: Error code describing the error. @@ -7544,7 +8055,9 @@ host.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -9609,7 +10122,9 @@ orchestrator.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -16087,7 +16602,9 @@ service.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -16505,7 +17022,9 @@ service.origin.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -16972,7 +17491,9 @@ service.target.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -24933,7 +25454,9 @@ user.changes.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -25414,7 +25937,9 @@ user.effective.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -25872,7 +26397,9 @@ user.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -26351,7 +26878,9 @@ user.target.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 18ff9f757d..d6425c8906 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1149,7 +1149,9 @@ cloud: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1485,7 +1487,9 @@ cloud: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1967,7 +1971,9 @@ cloud: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -5377,7 +5383,9 @@ entity: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.target.type ignore_above: 1024 @@ -5455,7 +5463,9 @@ entity: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.type ignore_above: 1024 @@ -5496,7 +5506,7 @@ entity: at: entity full: entity.target short_override: Targeted entity of action taken. - top_level: false + top_level: true reused_here: - full: entity.target schema_name: entity @@ -9613,7 +9623,9 @@ host: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -12036,7 +12048,9 @@ orchestrator: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -19381,7 +19395,9 @@ service: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -19806,7 +19822,9 @@ service: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -20280,7 +20298,9 @@ service: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -28479,7 +28499,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -28965,7 +28987,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -29428,7 +29452,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -29912,7 +29938,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json new file mode 100644 index 0000000000..2fe474d6ba --- /dev/null +++ b/experimental/generated/elasticsearch/composable/component/entity.json @@ -0,0 +1,132 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html", + "ecs_version": "9.3.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json index 34fbb14151..16133308ad 100644 --- a/experimental/generated/elasticsearch/composable/template.json +++ b/experimental/generated/elasticsearch/composable/template.json @@ -17,6 +17,7 @@ "ecs_9.3.0-dev-exp_dns", "ecs_9.3.0-dev-exp_ecs", "ecs_9.3.0-dev-exp_email", + "ecs_9.3.0-dev-exp_entity", "ecs_9.3.0-dev-exp_error", "ecs_9.3.0-dev-exp_event", "ecs_9.3.0-dev-exp_faas", diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6fb8b88cfc..4c8a9f732f 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -1426,6 +1426,126 @@ } } }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "error": { "properties": { "code": { diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index ff7780c1b8..5f7677c551 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -575,7 +575,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: instance.id @@ -737,7 +739,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: origin.instance.id @@ -988,7 +992,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: target.instance.id @@ -2372,6 +2378,262 @@ original email message. example: Spambot v2.5 default_field: false + - name: entity + title: Entity + group: 2 + description: The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those that + don't have dedicated field sets in ECS. An entity represents a discrete, identifiable + component that can be described by a set of attributes and maintains its identity + over time. + footnote: The entity fields may be self-nested under entity.target.* to describe + the target entity in the context of an action or event. The fieldset entity.target.* + must not be confused with the root entity fieldset that is used to describe + the primary entity under observation. The fieldset entity.target.* may only + be used to describe the targeted entity of an action taken. + type: group + default_field: true + fields: + - name: attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: target.behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: target.last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: target.lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: target.metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: target.raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: target.reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: target.source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: target.sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: target.type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' + example: host + default_field: false + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' + example: host + default_field: false - name: error title: Error group: 2 @@ -4218,7 +4480,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: geo.city_name @@ -5393,7 +5657,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: namespace @@ -9341,7 +9607,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: environment @@ -9571,7 +9839,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: origin.environment @@ -9838,7 +10108,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: target.environment @@ -14522,7 +14794,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: changes.full_name @@ -14771,7 +15045,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: effective.full_name @@ -15004,7 +15280,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: full_name @@ -15241,7 +15519,9 @@ description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host default_field: false - name: target.full_name diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index fbc5fb3c30..f460c9390a 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -283,6 +283,36 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. 9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient 9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.3.0-dev,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,entity,entity.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev,true,entity,entity.name,keyword,core,,,The name of the entity. +9.3.0-dev,true,entity,entity.name.text,match_only_text,core,,,The name of the entity. +9.3.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev,true,entity,entity.target.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,entity,entity.target.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,entity,entity.target.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev,true,entity,entity.target.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev,true,entity,entity.target.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev,true,entity,entity.target.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev,true,entity,entity.target.name,keyword,core,,,The name of the entity. +9.3.0-dev,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity. +9.3.0-dev,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity. +9.3.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. 9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. 9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 6fb1437e5c..63819cc3a0 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -874,7 +874,9 @@ cloud.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1205,7 +1207,9 @@ cloud.origin.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1682,7 +1686,9 @@ cloud.target.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -3860,6 +3866,511 @@ email.x_mailer: normalize: [] short: Application that drafted email. type: keyword +entity.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: entity.attributes + level: extended + name: attributes + normalize: [] + short: A set of static or semi-static attributes of the entity. + type: object +entity.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: entity.behavior + level: extended + name: behavior + normalize: [] + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +entity.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +entity.id: + dashed_name: entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the entity. + type: keyword +entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + short: Indicates the date/time when this entity was last "seen." + type: date +entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.lifecycle + level: extended + name: lifecycle + normalize: [] + short: A set of temporal characteristics of the entity. + type: object +entity.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: entity.metrics + level: extended + name: metrics + normalize: [] + short: Field set for any fields containing numeric entity metrics. + type: object +entity.name: + beta: This field is beta and subject to change. + dashed_name: entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.name.text + name: text + type: match_only_text + name: name + normalize: [] + short: The name of the entity. + type: keyword +entity.raw: + beta: This field is beta and subject to change. + dashed_name: entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: entity.raw + level: extended + name: raw + normalize: [] + short: Original, unmodified fields from the source system. + type: object +entity.reference: + beta: This field is beta and subject to change. + dashed_name: entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +entity.source: + beta: This field is beta and subject to change. + dashed_name: entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + short: Source module or integration that provided the entity data. + type: keyword +entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +entity.target.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-target-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: entity.target.attributes + level: extended + name: attributes + normalize: [] + original_fieldset: entity + short: A set of static or semi-static attributes of the entity. + type: object +entity.target.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-target-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: entity.target.behavior + level: extended + name: behavior + normalize: [] + original_fieldset: entity + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +entity.target.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-target-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.target.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.target.display_name.text + name: text + type: match_only_text + name: display_name + normalize: [] + original_fieldset: entity + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +entity.target.id: + dashed_name: entity-target-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: entity.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: entity + short: Unique identifier for the entity. + type: keyword +entity.target.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-target-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: entity.target.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + original_fieldset: entity + short: Indicates the date/time when this entity was last "seen." + type: date +entity.target.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-target-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.target.lifecycle + level: extended + name: lifecycle + normalize: [] + original_fieldset: entity + short: A set of temporal characteristics of the entity. + type: object +entity.target.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-target-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: entity.target.metrics + level: extended + name: metrics + normalize: [] + original_fieldset: entity + short: Field set for any fields containing numeric entity metrics. + type: object +entity.target.name: + beta: This field is beta and subject to change. + dashed_name: entity-target-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: entity.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.target.name.text + name: text + type: match_only_text + name: name + normalize: [] + original_fieldset: entity + short: The name of the entity. + type: keyword +entity.target.raw: + beta: This field is beta and subject to change. + dashed_name: entity-target-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: entity.target.raw + level: extended + name: raw + normalize: [] + original_fieldset: entity + short: Original, unmodified fields from the source system. + type: object +entity.target.reference: + beta: This field is beta and subject to change. + dashed_name: entity-target-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.target.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: entity + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +entity.target.source: + beta: This field is beta and subject to change. + dashed_name: entity-target-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: entity.target.source + ignore_above: 1024 + level: core + name: source + normalize: [] + original_fieldset: entity + short: Source module or integration that provided the entity data. + type: keyword +entity.target.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-target-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.target.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + original_fieldset: entity + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +entity.target.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: entity-target-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: entity.target.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: entity + short: Standardized high-level classification of the entity. + type: keyword +entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + - description: Represents a cloud or infrastructure. This includes cloud providers + and their services (such as AWS EC2), and is used to identify or correlate resources, + entities, and activities across accounts or multi-cloud environments. + name: cloud + - description: Represents an orchestration system or orchestrator component. This + includes container orchestrators like Kubernetes, Docker Swarm, and other systems + responsible for automating the deployment, management, scaling, and networking + of containers or workloads. + name: orchestrator + beta: This field is beta and subject to change. + dashed_name: entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' + example: host + flat_name: entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Standardized high-level classification of the entity. + type: keyword error.code: dashed_name: error-code description: Error code describing the error. @@ -7475,7 +7986,9 @@ host.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -9540,7 +10053,9 @@ orchestrator.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -16018,7 +16533,9 @@ service.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -16436,7 +16953,9 @@ service.origin.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -16903,7 +17422,9 @@ service.target.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -24864,7 +25385,9 @@ user.changes.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -25345,7 +25868,9 @@ user.effective.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -25803,7 +26328,9 @@ user.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -26282,7 +26809,9 @@ user.target.entity.type: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is + nested under a top-level namespace like `host` or `cloud`, its type array should + include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 644f4cd19a..7ed4ddc055 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1069,7 +1069,9 @@ cloud: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1405,7 +1407,9 @@ cloud: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1887,7 +1891,9 @@ cloud: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -5297,7 +5303,9 @@ entity: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.target.type ignore_above: 1024 @@ -5375,7 +5383,9 @@ entity: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.type ignore_above: 1024 @@ -5416,7 +5426,7 @@ entity: at: entity full: entity.target short_override: Targeted entity of action taken. - top_level: false + top_level: true reused_here: - full: entity.target schema_name: entity @@ -9533,7 +9543,9 @@ host: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -11956,7 +11968,9 @@ orchestrator: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -19301,7 +19315,9 @@ service: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -19726,7 +19742,9 @@ service: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -20200,7 +20218,9 @@ service: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -28399,7 +28419,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -28885,7 +28907,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -29348,7 +29372,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -29832,7 +29858,9 @@ user: description: 'A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, - `user`, `application`, `session`, `cloud`, `orchestrator`, etc.' + `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity + is nested under a top-level namespace like `host` or `cloud`, its type array + should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json new file mode 100644 index 0000000000..c18bcf07b9 --- /dev/null +++ b/generated/elasticsearch/composable/component/entity.json @@ -0,0 +1,132 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html", + "ecs_version": "9.3.0-dev" + }, + "template": { + "mappings": { + "properties": { + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json index ce90e997d0..b9692c0857 100644 --- a/generated/elasticsearch/composable/template.json +++ b/generated/elasticsearch/composable/template.json @@ -16,6 +16,7 @@ "ecs_9.3.0-dev_dns", "ecs_9.3.0-dev_ecs", "ecs_9.3.0-dev_email", + "ecs_9.3.0-dev_entity", "ecs_9.3.0-dev_error", "ecs_9.3.0-dev_event", "ecs_9.3.0-dev_faas", diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 537e93a278..a0acf841af 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -1384,6 +1384,126 @@ } } }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "error": { "properties": { "code": { diff --git a/schemas/entity.yml b/schemas/entity.yml index 5946fb06f0..f137831fda 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -20,7 +20,7 @@ action taken. root: false reusable: - top_level: false + top_level: true order: 2 expected: - user @@ -73,6 +73,7 @@ description: > A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. + If an entity is nested under a top-level namespace like `host` or `cloud`, its type array should include the matching value — for example, `host` or `cloud`. normalize: - array allowed_values: From 393176fe03612f392b09d689d601ff6014c85050 Mon Sep 17 00:00:00 2001 From: Uri Weisman <68195305+uri-weisman@users.noreply.github.com> Date: Wed, 12 Nov 2025 17:51:07 +0200 Subject: [PATCH 6/7] Update schemas/entity.yml Co-authored-by: Alexandra Konrad --- schemas/entity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/entity.yml b/schemas/entity.yml index f137831fda..de36529f16 100644 --- a/schemas/entity.yml +++ b/schemas/entity.yml @@ -73,7 +73,7 @@ description: > A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. - If an entity is nested under a top-level namespace like `host` or `cloud`, its type array should include the matching value — for example, `host` or `cloud`. + If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`. normalize: - array allowed_values: From cdeacaf792af08ec7f0c831104ea6ba49d62844a Mon Sep 17 00:00:00 2001 From: uri-weisman Date: Wed, 12 Nov 2025 17:59:56 +0200 Subject: [PATCH 7/7] addressing CR 2 --- docs/reference/ecs-entity.md | 2 +- experimental/generated/beats/fields.ecs.yml | 70 ++++++++++++--------- experimental/generated/ecs/ecs_flat.yml | 56 ++++++++--------- experimental/generated/ecs/ecs_nested.yml | 70 ++++++++++++--------- generated/beats/fields.ecs.yml | 70 ++++++++++++--------- generated/ecs/ecs_flat.yml | 56 ++++++++--------- generated/ecs/ecs_nested.yml | 70 ++++++++++++--------- 7 files changed, 225 insertions(+), 169 deletions(-) diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index a5f97f2193..951777bfdb 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -27,7 +27,7 @@ The entity fields provide a standardized way to represent and categorize differe | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | -| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, its type array should include the matching value — for example, `host` or `cloud`.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | +| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | ## Field reuse [_field_reuse] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index b07d5ba055..07ed3200f1 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -626,8 +626,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: instance.id @@ -790,8 +791,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: origin.instance.id @@ -1043,8 +1045,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: target.instance.id @@ -2668,8 +2671,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: type @@ -2680,8 +2684,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: error @@ -4531,8 +4536,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: geo.city_name @@ -5708,8 +5714,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: namespace @@ -9658,8 +9665,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: environment @@ -9890,8 +9898,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: origin.environment @@ -10159,8 +10168,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: target.environment @@ -14845,8 +14855,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: changes.full_name @@ -15096,8 +15107,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: effective.full_name @@ -15331,8 +15343,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: full_name @@ -15570,8 +15583,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: target.full_name diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 08235ae013..f450e8cd60 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -944,8 +944,8 @@ cloud.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1277,8 +1277,8 @@ cloud.origin.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1756,8 +1756,8 @@ cloud.target.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -4351,8 +4351,8 @@ entity.target.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.target.type ignore_above: 1024 @@ -4429,8 +4429,8 @@ entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.type ignore_above: 1024 @@ -8056,8 +8056,8 @@ host.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -10123,8 +10123,8 @@ orchestrator.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -16603,8 +16603,8 @@ service.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -17023,8 +17023,8 @@ service.origin.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -17492,8 +17492,8 @@ service.target.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -25455,8 +25455,8 @@ user.changes.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -25938,8 +25938,8 @@ user.effective.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -26398,8 +26398,8 @@ user.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -26879,8 +26879,8 @@ user.target.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index d6425c8906..86f3a04517 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1150,8 +1150,9 @@ cloud: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1488,8 +1489,9 @@ cloud: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1972,8 +1974,9 @@ cloud: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -5384,8 +5387,9 @@ entity: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: entity.target.type ignore_above: 1024 @@ -5464,8 +5468,9 @@ entity: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: entity.type ignore_above: 1024 @@ -9624,8 +9629,9 @@ host: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -12049,8 +12055,9 @@ orchestrator: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -19396,8 +19403,9 @@ service: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -19823,8 +19831,9 @@ service: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -20299,8 +20308,9 @@ service: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -28500,8 +28510,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -28988,8 +28999,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -29453,8 +29465,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -29939,8 +29952,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 5f7677c551..3366cfd8ea 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -576,8 +576,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: instance.id @@ -740,8 +741,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: origin.instance.id @@ -993,8 +995,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: target.instance.id @@ -2618,8 +2621,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: type @@ -2630,8 +2634,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: error @@ -4481,8 +4486,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: geo.city_name @@ -5658,8 +5664,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: namespace @@ -9608,8 +9615,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: environment @@ -9840,8 +9848,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: origin.environment @@ -10109,8 +10118,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: target.environment @@ -14795,8 +14805,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: changes.full_name @@ -15046,8 +15057,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: effective.full_name @@ -15281,8 +15293,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: full_name @@ -15520,8 +15533,9 @@ a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host default_field: false - name: target.full_name diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 63819cc3a0..40f65f7fd7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -875,8 +875,8 @@ cloud.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1208,8 +1208,8 @@ cloud.origin.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1687,8 +1687,8 @@ cloud.target.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -4282,8 +4282,8 @@ entity.target.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.target.type ignore_above: 1024 @@ -4360,8 +4360,8 @@ entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: entity.type ignore_above: 1024 @@ -7987,8 +7987,8 @@ host.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -10054,8 +10054,8 @@ orchestrator.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -16534,8 +16534,8 @@ service.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -16954,8 +16954,8 @@ service.origin.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -17423,8 +17423,8 @@ service.target.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -25386,8 +25386,8 @@ user.changes.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -25869,8 +25869,8 @@ user.effective.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -26329,8 +26329,8 @@ user.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -26810,8 +26810,8 @@ user.target.entity.type: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is - nested under a top-level namespace like `host` or `cloud`, its type array should - include the matching value — for example, `host` or `cloud`.' + nested under a top-level namespace like `host` or `cloud`, or similar, its type + array should include the matching value — for example, `host` or `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 7ed4ddc055..48d310bdda 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1070,8 +1070,9 @@ cloud: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: cloud.entity.type ignore_above: 1024 @@ -1408,8 +1409,9 @@ cloud: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: cloud.origin.entity.type ignore_above: 1024 @@ -1892,8 +1894,9 @@ cloud: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: cloud.target.entity.type ignore_above: 1024 @@ -5304,8 +5307,9 @@ entity: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: entity.target.type ignore_above: 1024 @@ -5384,8 +5388,9 @@ entity: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: entity.type ignore_above: 1024 @@ -9544,8 +9549,9 @@ host: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: host.entity.type ignore_above: 1024 @@ -11969,8 +11975,9 @@ orchestrator: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: orchestrator.entity.type ignore_above: 1024 @@ -19316,8 +19323,9 @@ service: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: service.entity.type ignore_above: 1024 @@ -19743,8 +19751,9 @@ service: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: service.origin.entity.type ignore_above: 1024 @@ -20219,8 +20228,9 @@ service: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: service.target.entity.type ignore_above: 1024 @@ -28420,8 +28430,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.changes.entity.type ignore_above: 1024 @@ -28908,8 +28919,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.effective.entity.type ignore_above: 1024 @@ -29373,8 +29385,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.entity.type ignore_above: 1024 @@ -29859,8 +29872,9 @@ user: a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity - is nested under a top-level namespace like `host` or `cloud`, its type array - should include the matching value — for example, `host` or `cloud`.' + is nested under a top-level namespace like `host` or `cloud`, or similar, + its type array should include the matching value — for example, `host` or + `cloud`.' example: host flat_name: user.target.entity.type ignore_above: 1024